Analysis Overview
SHA256
732551a1d5097426140ce31fae1be56a76a8e4e1fe7f3f8f881541fb75f0df0a
Threat Level: Likely benign
The file mtk.exe was found to be: Likely benign.
Malicious Activity Summary
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2023-10-24 18:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-24 18:43
Reported
2023-10-24 18:45
Platform
win7-20231020-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1440 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\mtk.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1440 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\mtk.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1440 wrote to memory of 3016 | N/A | C:\Users\Admin\AppData\Local\Temp\mtk.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1440 wrote to memory of 1408 | N/A | C:\Users\Admin\AppData\Local\Temp\mtk.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1440 wrote to memory of 1408 | N/A | C:\Users\Admin\AppData\Local\Temp\mtk.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1440 wrote to memory of 1408 | N/A | C:\Users\Admin\AppData\Local\Temp\mtk.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\mtk.exe
"C:\Users\Admin\AppData\Local\Temp\mtk.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1408" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3016" "852"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2808" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2788" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2764" "880"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1052" "896"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2708" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1900" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1472" "884"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3008" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1656" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1060" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1980" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "896" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1740" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2000" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1404" "896"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2968" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1036" "880"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2068" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2704" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2012" "852"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1924" "852"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1132" "860"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2836" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 864
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "672" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2492" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2304" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1056" "888"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1356" "888"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3024" "852"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2104" "888"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "432" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1920" "884"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1164" "888"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3040" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "436" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2028" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 828
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 832
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2328" "884"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 832
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3328" "832"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2528" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3548" "876"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1556" "884"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4048" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3160" "896"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "688" "852"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2928" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1580" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3956" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2912" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2924" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1764" "860"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3648" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4012" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1744" "848"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1944" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3424" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4092" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3884" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3368" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3852" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3480" "876"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3452" "872"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3324" "872"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2136" "844"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2628" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2976" "888"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2832" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2748" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3680" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1996" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3896" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "268" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3264" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3628" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3860" "836"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2120" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3776" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3844" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3500" "872"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2668" "884"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3584" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3140" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2100" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4068" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4764" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4972" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1068" "832"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4196" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1676" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3280" "840"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4824" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4124" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4672" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2160" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4156" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "5100" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4740" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3348" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4516" "832"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "612" "832"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 832
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1964" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4116" "836"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4268" "836"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "5400" "876"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3224" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2824" "892"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1504" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1500" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4920" "872"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2168" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1476" "872"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "332" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "852" "876"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "5532" "872"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2464" "888"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2460" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4584" "872"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3520" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2840" "888"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4476" "872"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4236" "876"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3668" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3712" "872"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4308" "876"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3800" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 848
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 860
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 860
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 832
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4872" "876"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4212" "876"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "5472" "876"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 836
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3988" "872"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1660" "884"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "5024" "872"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1608" "872"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4880" "872"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3380" "872"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2384" "872"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "5732" "948"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "5428" "872"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "5812" "884"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4176" "872"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4544" "872"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4632" "888"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4352" "872"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4860" "868"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4716" "872"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4264" "872"
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 844
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4136" "856"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4396" "880"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2620" "876"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "3048" "880"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1968" "876"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2612" "896"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4104" "392"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "6092" "880"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2792" "884"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1020" "884"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2400" "884"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "5900" "880"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "5520" "884"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4820" "884"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2916" "888"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "6384" "884"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "6212" "808"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2716" "852"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "1356" "900"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "4016" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "832" "884"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "6608" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "6960" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "6804" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "6832" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "5504" "880"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2616" "876"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "6328" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "2492" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "6316" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "6872" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "7288" "884"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "7252" "888"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "5876" "880"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "6136" "892"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\37b712b3-3f0d-4935-82e8-4bc99dc88402.ps1'"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "8140" "880"
C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "7804" "880"
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9WPDPYY39J3ZPLW578WR.temp
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/1408-7-0x000000001B210000-0x000000001B4F2000-memory.dmp
memory/3016-9-0x00000000024D0000-0x00000000024D8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259407515.txt
| MD5 | 96447c9ce6b8fb8f1aacf57164c0a07b |
| SHA1 | b94dbe66eb9175b8c20496319c7c1508c8909ddd |
| SHA256 | 449c9f5e04397a2d45859a87a818de0cae724e94f944b4bcd6bda98cfe727f27 |
| SHA512 | 1a99d470d0079d38e82e3d81641f5d2e075b6c756096a30f28ffb826964f5ec6ffe1aab029f73a7cd92943d17901cd4ebf7bf6ed4879c493bd2c8ae6ff120582 |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259403987.txt
| MD5 | dd7c2d631fd4258ca2704df759d1efb9 |
| SHA1 | bf6d123ce7c157d2c3747ebdc8213fdc6db14a46 |
| SHA256 | e94bf3cd93cdfb52cdcd7b2a148f246e07a58e45d35841e15d8dfe35cd263ebd |
| SHA512 | 580fcaf5fe716fe31a5a0d887ba48cdcbc3b87c50fcec623c1bb8bd0e4905f38e4accca38e03bf2bd55961dcf2b95219f3d2bc761e92c6297ab27042fcdbce23 |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259407622.txt
| MD5 | 6d476c425606dff77bb1a93573fbe308 |
| SHA1 | e08c914e3ff420189aeea4350cfaf57390279676 |
| SHA256 | 277f9e3bb43c82ff6c47be9d84b1fd1caa0855f9c73bc619949c34799c409a77 |
| SHA512 | ffaf370dc96df23fc168f448ac835eaf921689c2fd3ed8593f7986744471a87e7b38e8b7821460bddeff77cb0e666d0b666be35ae86fdb06786af8aef2811cf2 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259406900.txt
| MD5 | bafeed6a6773db308b776f687daa5b31 |
| SHA1 | 5360b00655e2ac9cf5e3b1c504184d2c77ca35aa |
| SHA256 | edb858320de97f5a0dc0cc1b20763a5a7ca3085f754d6467d98d8bfd1eb5571e |
| SHA512 | 4928987772f474fd7575bfde0cf6353fd4574d90d77c60306d90014833ef71fd137857cd537e3d7499928b2596ee1d4d7ccbcd90759a0ad81723962737f4f752 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259406942.txt
| MD5 | d1c31260958452efd4f3a1891d4f9f71 |
| SHA1 | e2b5b2f543b8be8a3ce7c28a6655418d1121fddc |
| SHA256 | 44e2d41147e6bcccb8ae3471c2bd83365723f45aa719d748239a2c0ecdbc4553 |
| SHA512 | f396566fbdbdaa8484d318fba3d9c6d7e3fb1f65154161d0af6ac626c04ab86f6412db99f502c3f0e84c2c55f6568bc0bc132f1540c3fc4fcf6a6fdb41017e58 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/3016-84-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/1408-98-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/1408-105-0x00000000027B0000-0x0000000002830000-memory.dmp
memory/3016-110-0x0000000002AD0000-0x0000000002B50000-memory.dmp
memory/1408-111-0x00000000027B0000-0x0000000002830000-memory.dmp
memory/2808-112-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/3016-104-0x0000000002AD0000-0x0000000002B50000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/1408-96-0x00000000027B0000-0x0000000002830000-memory.dmp
memory/3016-86-0x0000000002AD0000-0x0000000002B50000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/2808-123-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/2808-124-0x00000000024C0000-0x0000000002540000-memory.dmp
memory/2808-125-0x00000000024C0000-0x0000000002540000-memory.dmp
memory/2788-126-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/2788-127-0x0000000002420000-0x00000000024A0000-memory.dmp
memory/2788-128-0x0000000002420000-0x00000000024A0000-memory.dmp
memory/2788-129-0x0000000002420000-0x00000000024A0000-memory.dmp
memory/2764-130-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/2764-131-0x0000000002900000-0x0000000002980000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/1408-135-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/2808-137-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/2708-143-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/2708-144-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/436-145-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/2708-138-0x0000000002520000-0x00000000025A0000-memory.dmp
memory/1472-146-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1472-147-0x0000000002740000-0x00000000027C0000-memory.dmp
memory/2764-136-0x0000000002900000-0x0000000002980000-memory.dmp
memory/2968-150-0x00000000029A0000-0x0000000002A20000-memory.dmp
memory/2704-149-0x00000000027F0000-0x0000000002870000-memory.dmp
memory/1900-152-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1900-153-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/3016-151-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1472-148-0x0000000002740000-0x00000000027C0000-memory.dmp
memory/2764-132-0x0000000002900000-0x0000000002980000-memory.dmp
memory/2788-155-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1472-169-0x0000000002740000-0x00000000027C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/1052-187-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1052-188-0x0000000002A90000-0x0000000002B10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259410576.txt
| MD5 | 361862dfb4e153f088754c4ffb2528ce |
| SHA1 | 582383d9cf9cfb3a382d071c8a46356f3467922b |
| SHA256 | c300118d33dc35a661690605a6e420b9076a78d386ec07fdea5da2f79716a0fc |
| SHA512 | d26e25adcd419caff2f1ed65f2329117abf4af5b0234ef4c9deb56a0ea3417e5e38ed5ab21a064c04710ee426784952a7b7e2c6fe2ef9966a0dc0c3acdf3e714 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259410164.txt
| MD5 | f8785dd7af18b654e0e2839dcbad5ba1 |
| SHA1 | 2458fafa0a0f69b5ed26dfe83eaf2a190564c624 |
| SHA256 | 6bb164604c05f56a051088f9b5c85e69b26ee7c5c0db94681e24bc2e0b23437c |
| SHA512 | d8cfa0326fa7fdf47c403f5d18f5ca04cffaabaeff3dfd82a313391f453d3ef651e5898a863d76979c4fd48a2a9103c49bd79d81c06789bc09e2ca458aa98c77 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/3040-166-0x0000000002550000-0x00000000025D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259410124.txt
| MD5 | aa4193832dfd3a6d559cbb1700dc3e10 |
| SHA1 | 299b58cc7be12ecc0b79ade0de68c15e08460b9a |
| SHA256 | eaaf8637a5dbfdb843a73ac5e527eaa7d7e67040acfc76802bbb65d3948dbba5 |
| SHA512 | 74f479de63b445ddca0e18a099eda2f2c251b241e546217209b1f33f46a26d1c6f8f9f496183d3fb7c2b434597a1f0813617ad1d0a2096a34c51bad051d5397a |
memory/2764-156-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/3040-154-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/2068-189-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/2000-230-0x0000000002A10000-0x0000000002A90000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259413141.txt
| MD5 | c263d0488b29f2d65307933d5b796e0a |
| SHA1 | d41f5bea62feae209da239207b4aa5234460115d |
| SHA256 | 4d55556fcf99a057ccf5e260af0442bd08c4fb120641d6638c7b4436883cfaaf |
| SHA512 | 73a4bcc10ce8d00b822846505c6af79a6489729df8599f5d399ce01bb988b62e550a8a732fec90686af4ebb0fa33d4f168962d6abf5cc6c6946edae5c09a4ff9 |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259412426.txt
| MD5 | be4dd361d66e5a31f3f8ebb78c19218d |
| SHA1 | 7a32c72168809ba0b7766f7c05bd331010fc9c1c |
| SHA256 | 91018ef3108f98e823abc98ab66b91b4442f2f2430832e2ed1945d0f24edb942 |
| SHA512 | e538a4379591529eadcefc3792b6eac251136bede445810d2ba6c58fdcbb4c37408d7deb9b190de3d4019f93958c99414adc399d53375e34f26409595896801f |
memory/1052-254-0x0000000002A94000-0x0000000002A97000-memory.dmp
memory/436-253-0x00000000028B0000-0x0000000002930000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259412137.txt
| MD5 | 4b3aa45a6972ebc84a11833eb037a9b2 |
| SHA1 | 7b486734d7a1089af4b0f9e844d0d3b2ddef6e24 |
| SHA256 | be11dab372487136e2a1760edd3f146328eed13d7c76c7ae46a38c1065b9eb99 |
| SHA512 | 5cfbe6c8c5c32e6399f57e0fb12b90078dd0f4de6ca938dfbb37ac91a70255597b8faf2a2757206417c28fded41af6d49335d1dff19d41ff7a00e77457cce396 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/1060-229-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1052-225-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259413016.txt
| MD5 | 9e7bab3d51319cacdf7f91a877529b4d |
| SHA1 | 6e059f2a97b999bde93018d52fd7cf50fb4fd2e7 |
| SHA256 | a24a4da1e790cdc1eba402d127dc8403c6b418d164b61cbabf9c9ebcc9483ac4 |
| SHA512 | 1f6c8e227aab5d3233277b0fb20c207ccb9fd94f3e79ae1fa1bcce3c2ee0e3ca7dea168f9bdcd50bbfdaac952e07543b73d69e6bf3d2001c23932b3df7412445 |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259414517.txt
| MD5 | c7196bed31069af9d245f07f048b218f |
| SHA1 | edca0be9cdbafe24d3541b5c1e9f1411e6efce2e |
| SHA256 | 31eb03b6ba3212989bc7dfebb14c92657ec86a0aab88ddbb0128f16d41016b9d |
| SHA512 | f33474edc6f6d9af6691aa4fe98a69de306bbb94f4cf2d0ac6536a5889376ef4a934837800ca656e8558ad9c1985266fec29b3459658ab2089386f6e1b9dcf5b |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/2000-205-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259408936.txt
| MD5 | bab3fecd388ead9b539141b94ecc3f3a |
| SHA1 | b56fb3da333bfedf1fe226b4d719b59c1ca5b259 |
| SHA256 | 291200cd859876bc0ba4094f7ab3e7f1fa59268f4cf42c0745d1fdcc74fc4e4f |
| SHA512 | 55422ca567700727a7ea81b8ed2d9124df89e58625a8740110b8e465d69fbcd703c242be7c14bdb9bbe836790fa335885917153eab5a8f24d32d2e8174c00eeb |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259413526.txt
| MD5 | 82147314524594136ab136b603c3d353 |
| SHA1 | a9465dd4bd0d13e1dcab39a72eca1ae9fa08adc7 |
| SHA256 | 4128b18b95bf3d68e3ec0131bf1c99a93c861dad14838482e0ee1e73286d53cf |
| SHA512 | 391ca1953970935843a1df1f1100bb01d4cfc077db24bbedf699e347fca86d1bbeacc5f063b358b6e4c3118758f770035f2e4e296c1d7bb97972fbb2f167e42a |
memory/1060-291-0x0000000002904000-0x0000000002907000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/2708-349-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/2708-352-0x0000000002524000-0x0000000002527000-memory.dmp
memory/896-328-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1740-337-0x0000000002974000-0x0000000002977000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/1980-370-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1472-369-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1980-372-0x00000000029E4000-0x00000000029E7000-memory.dmp
memory/3008-377-0x0000000002834000-0x0000000002837000-memory.dmp
memory/1656-376-0x0000000002A64000-0x0000000002A67000-memory.dmp
memory/3008-373-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1656-371-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
memory/1740-327-0x000007FEF6090000-0x000007FEF6A2D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259423563.txt
| MD5 | ca87c77084a57aafdefcb41b0f48e484 |
| SHA1 | 7810105b8cae23751d05ca5e44f4b252ccac2731 |
| SHA256 | 0e5bd23c821006ac02a18b4116701b5f14c9de76080519a3844d159e8b66668d |
| SHA512 | 75529af3ccd39e2a68007d02d28c6ace23097315e81595e18647c7de1fb2cbbacf9208c52b93fa39f0870c830050ec012e51151b35af5f9dc3edd001b1bf54f8 |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259413044.txt
| MD5 | 1134e7640695c0b3c1ff68fcfebc05af |
| SHA1 | 169a0001f7c654be0cd2715154340b6205e23f86 |
| SHA256 | 6c1450068b37ef98162d1c519dbe896d52b43cfd5791b714a8ae9d8d5ad49972 |
| SHA512 | 0c23feab23d82974130edc7bf789af73ad36fb8cc2a231692fb5586f3b48d8ee8d15b9a07ebe1e44a0ce82b03d954c3bf446d108c225faadec301d79d89aeb1d |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259414344.txt
| MD5 | a8a2e23468867fffa83f641d69c53f9d |
| SHA1 | 089ff8f167fda1bc6ae4e11aa0f173d602e847ba |
| SHA256 | 28975cdbdc8994f07866dc9af3d095c7d268c8860c5180e6467f622290082ce8 |
| SHA512 | 166a14f5ab890085fdaf18700e5b1a07400b0c3cea80465f19f7516ba7371189e3f515f070e7a11048bed00f9b040d348dee8891b23bb02068bd5fbd147050ae |
C:\Users\Admin\AppData\Local\Temp\OutofProcReport259414553.txt
| MD5 | f2b67264fa4fdbb1b3a7ef9b2fc0fc07 |
| SHA1 | 41130ecffb42e03efd5108e883d655845a29fec4 |
| SHA256 | 94aa6d7b9e66aa937ad91ce17be51460bc55400103b78bd2925063fbdc16ed1d |
| SHA512 | 2e3295adaa505641724a5be4434e90a895718deda1f52b0facaaf4ab0b22de63f9477ae1a6f0181315ee747bd5c47f252a9e534f9e5144f611fb3ed7e0f44195 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 6b9b50dc61c572fc26d32e405f82e928 |
| SHA1 | 3a241ba47eac000afddd0455760e8e856418719b |
| SHA256 | f9c57277fe26ce4395bf0d062b9fbef1779e82ac7b6f3391f76300e94d49dcd7 |
| SHA512 | 66c0a21e3ca027108d5cfe1617841df7739322b622caa17f33a8c98824f5c1102980ecd2dbb48028332e17816de63ab7176664e3148318c823e86484556a75d5 |
memory/896-301-0x0000000002414000-0x0000000002417000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-24 18:43
Reported
2023-10-24 18:45
Platform
win10v2004-20231023-en
Max time kernel
138s
Max time network
155s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1324 wrote to memory of 4860 | N/A | C:\Users\Admin\AppData\Local\Temp\mtk.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1324 wrote to memory of 4860 | N/A | C:\Users\Admin\AppData\Local\Temp\mtk.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\mtk.exe
"C:\Users\Admin\AppData\Local\Temp\mtk.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command "& 'C:\Windows\Temp\e5bb106e-62e0-428a-91e9-862ce788f47b.ps1'"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/4860-6-0x000002779D6E0000-0x000002779D702000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n3qvlhoe.bbj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4860-12-0x00007FFECCC30000-0x00007FFECD6F1000-memory.dmp
memory/4860-13-0x00007FFECCC30000-0x00007FFECD6F1000-memory.dmp