WTFBins

Microsoft Defender Advanced Threat Protection uses SenseIR.exe to launch Powershell scripts that then uses .NET function [System.IO.File]::Open() to read another Powershell script into memory for execution. The second Powershell script executed has its parameters passed in as base64-encoded text.