(OriginalFileName:Cmd.Exe OR OriginalFileName:powershell_ise.EXE OR OriginalFileName:powershell.exe) Image:\\wermgr.exe