nightingale | 3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-10-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Size

169KB
MD5

fc505b7730fbbdead6d352aba01d6a18
SHA1

aa28e00c57c2a9a8638c777bb90f1f1528d359bb
SHA256

3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4
SHA512

7a61ec10f25cd40fe7c596d4afc1adfdf8497a5595768891372de12f9a44b176ecaa59cd84046e46d1277d30701d1bc68e8f8ed3606bcc535967764a7c1ae14d
SSDEEP

3072:EkMXuXhNC38S7gzQ/cqD4UT6R27Xrcrc0D83SOYrbnBI5a36rERRQSIpiJrenYPG:ayzQ/4WXwrJn9rbnBbLRRQSIpiJrenYe

Score

10^/10

nightingale credential_access execution persistence spyware stealer

Malware Config

Extracted

Family

nightingale

https://api.telegram.org/bot6884699661:AAGPbkqESYn7iH7c6q7YuTlciwwO2tHQev0/sendDocument

Signatures

Nightingale family
nightingale
Nightingale stealer
Nightingale stealer is an information stealer written in C#.
stealer nightingale

Command and Scripting Interpreter: PowerShell 1 TTPs 40 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1968	powershell.exe
2420	powershell.exe
4624	powershell.exe
896	powershell.exe
3080	powershell.exe
4388	powershell.exe
2224	powershell.exe
4744	powershell.exe
1136	powershell.exe
380	powershell.exe
1892	powershell.exe
4628	powershell.exe
4212	powershell.exe
4004	powershell.exe
4848	powershell.exe
4840	powershell.exe
1636	powershell.exe
3928	powershell.exe
1976	powershell.exe
3128	powershell.exe
3528	powershell.exe
1400	powershell.exe
4700	powershell.exe
4580	powershell.exe
868	powershell.exe
216	powershell.exe
2600	powershell.exe
5084	powershell.exe
4696	powershell.exe
632	powershell.exe
1136	powershell.exe
2244	powershell.exe
736	powershell.exe
4412	powershell.exe
3916	powershell.exe
1292	powershell.exe
4428	powershell.exe
3056	powershell.exe
4728	powershell.exe
4444	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe"	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\shell	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\shell\open	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\shell\open\command\	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings\shell\open\command	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\ms-settings	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
3528	powershell.exe
4744	powershell.exe
4744	powershell.exe
3528	powershell.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
3080	powershell.exe
3080	powershell.exe
3080	powershell.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
736	powershell.exe
868	powershell.exe
736	powershell.exe
868	powershell.exe
868	powershell.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4728	powershell.exe
4728	powershell.exe
4728	powershell.exe
4628	powershell.exe
4628	powershell.exe
4628	powershell.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4388	powershell.exe
1636	powershell.exe
4388	powershell.exe
1636	powershell.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4412	powershell.exe
1400	powershell.exe
4412	powershell.exe
4412	powershell.exe
1400	powershell.exe
1400	powershell.exe
4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
4700	powershell.exe
3128	powershell.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeDebugPrivilege	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	3080	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4628	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	3128	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	4212	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	5084	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	3928	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	4428	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	4840	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4492 wrote to memory of 3096	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	84
PID 4492 wrote to memory of 3096	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	84
PID 4492 wrote to memory of 736	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	86
PID 4492 wrote to memory of 736	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	86
PID 3096 wrote to memory of 4744	3096	cmd.exe	89
PID 3096 wrote to memory of 4744	3096	cmd.exe	89
PID 736 wrote to memory of 3528	736	cmd.exe	90
PID 736 wrote to memory of 3528	736	cmd.exe	90
PID 4492 wrote to memory of 4628	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	102
PID 4492 wrote to memory of 4628	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	102
PID 4492 wrote to memory of 1116	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	104
PID 4492 wrote to memory of 1116	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	104
PID 4628 wrote to memory of 3056	4628	cmd.exe	106
PID 4628 wrote to memory of 3056	4628	cmd.exe	106
PID 1116 wrote to memory of 3080	1116	cmd.exe	107
PID 1116 wrote to memory of 3080	1116	cmd.exe	107
PID 4492 wrote to memory of 1468	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	108
PID 4492 wrote to memory of 1468	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	108
PID 4492 wrote to memory of 2760	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	110
PID 4492 wrote to memory of 2760	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	110
PID 1468 wrote to memory of 736	1468	cmd.exe	112
PID 1468 wrote to memory of 736	1468	cmd.exe	112
PID 2760 wrote to memory of 868	2760	cmd.exe	113
PID 2760 wrote to memory of 868	2760	cmd.exe	113
PID 4492 wrote to memory of 4876	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	114
PID 4492 wrote to memory of 4876	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	114
PID 4492 wrote to memory of 2640	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	116
PID 4492 wrote to memory of 2640	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	116
PID 4876 wrote to memory of 4728	4876	cmd.exe	118
PID 4876 wrote to memory of 4728	4876	cmd.exe	118
PID 2640 wrote to memory of 4628	2640	cmd.exe	120
PID 2640 wrote to memory of 4628	2640	cmd.exe	120
PID 4492 wrote to memory of 2736	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	122
PID 4492 wrote to memory of 2736	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	122
PID 4492 wrote to memory of 1728	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	124
PID 4492 wrote to memory of 1728	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	124
PID 2736 wrote to memory of 1636	2736	cmd.exe	126
PID 2736 wrote to memory of 1636	2736	cmd.exe	126
PID 1728 wrote to memory of 4388	1728	cmd.exe	127
PID 1728 wrote to memory of 4388	1728	cmd.exe	127
PID 4492 wrote to memory of 4120	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	129
PID 4492 wrote to memory of 4120	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	129
PID 4492 wrote to memory of 3608	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	131
PID 4492 wrote to memory of 3608	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	131
PID 4120 wrote to memory of 4412	4120	cmd.exe	133
PID 4120 wrote to memory of 4412	4120	cmd.exe	133
PID 3608 wrote to memory of 1400	3608	cmd.exe	134
PID 3608 wrote to memory of 1400	3608	cmd.exe	134
PID 4492 wrote to memory of 1892	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	135
PID 4492 wrote to memory of 1892	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	135
PID 4492 wrote to memory of 2240	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	137
PID 4492 wrote to memory of 2240	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	137
PID 1892 wrote to memory of 4700	1892	cmd.exe	139
PID 1892 wrote to memory of 4700	1892	cmd.exe	139
PID 2240 wrote to memory of 3128	2240	cmd.exe	140
PID 2240 wrote to memory of 3128	2240	cmd.exe	140
PID 4492 wrote to memory of 2548	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	141
PID 4492 wrote to memory of 2548	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	141
PID 4492 wrote to memory of 4192	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	143
PID 4492 wrote to memory of 4192	4492	3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe	143
PID 2548 wrote to memory of 2224	2548	cmd.exe	145
PID 2548 wrote to memory of 2224	2548	cmd.exe	145
PID 4192 wrote to memory of 216	4192	cmd.exe	146
PID 4192 wrote to memory of 216	4192	cmd.exe	146

C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
"C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4492
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3056
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:216
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:3864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:4584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4444
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:2388
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3916
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:2736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5084
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:3524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4696
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:4700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:4504
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:4396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1472
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:3236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:4576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:380
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe & exit
  2⤵
  PID:1260
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3cbfe1e9bba7469a3fd606dcf77b047570f4b9a37c02b055f2ab0416773424b4.exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe & exit
  2⤵
  PID:1132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionExtension .exe
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:896

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_25quuuh3.4xr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/736-63-0x00000248F8610000-0x00000248F8658000-memory.dmp

Filesize
288KB

Download
memory/868-66-0x000002686BE70000-0x000002686BEB8000-memory.dmp

Filesize
288KB

Download
memory/3080-42-0x000001B9A8BB0000-0x000001B9A8BF8000-memory.dmp

Filesize
288KB

Download
memory/3528-8-0x00000205B3F50000-0x00000205B3F72000-memory.dmp

Filesize
136KB

Download
memory/4492-2-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

Filesize
10.8MB

Download
memory/4492-1-0x000001DA1E650000-0x000001DA1E680000-memory.dmp

Filesize
192KB

Download
memory/4492-28-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp

Filesize
8KB

Download
memory/4492-29-0x00007FFE4CDD0000-0x00007FFE4D891000-memory.dmp

Filesize
10.8MB

Download
memory/4492-0-0x00007FFE4CDD3000-0x00007FFE4CDD5000-memory.dmp

Filesize
8KB

Download
memory/4628-90-0x00000234A2EB0000-0x00000234A2EF8000-memory.dmp

Filesize
288KB

Download
memory/4728-87-0x0000029B5CDF0000-0x0000029B5CE38000-memory.dmp

Filesize
288KB

Download