Malware Analysis Report

2025-08-05 17:33

Sample ID 221101-mqyzssbhej
Target afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b
SHA256 afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b
Tags
rat dcrat infostealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b

Threat Level: Known bad

The file afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer

Dcrat family

DcRat

DCRat payload

Process spawned unexpected child process

DCRat payload

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-01 10:40

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-01 10:40

Reported

2022-11-01 10:43

Platform

win10-20220812-en

Max time kernel

139s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b.exe"

Signatures

DcRat

rat infostealer dcrat

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\System.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\csrss.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\886983d96e3d3e C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\27d1bcfc3c54e0 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Media Player\en-US\spoolsv.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Media Player\en-US\f3b6ecef712a24 C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe C:\providercommon\DllCommonsvc.exe N/A
File created C:\Program Files\Windows Multimedia Platform\5b884080fd4f94 C:\providercommon\DllCommonsvc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\providercommon\DllCommonsvc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\odt\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\odt\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\odt\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\odt\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\odt\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\odt\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\odt\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\odt\services.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000_Classes\Local Settings C:\odt\services.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\providercommon\DllCommonsvc.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A
N/A N/A C:\odt\services.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\providercommon\DllCommonsvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4372 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b.exe C:\Windows\SysWOW64\WScript.exe
PID 4372 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b.exe C:\Windows\SysWOW64\WScript.exe
PID 4372 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b.exe C:\Windows\SysWOW64\WScript.exe
PID 1992 wrote to memory of 3044 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 3044 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 1992 wrote to memory of 3044 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3044 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\providercommon\DllCommonsvc.exe
PID 3148 wrote to memory of 4176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 4176 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2932 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2932 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2296 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2296 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 848 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 848 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2940 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2940 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2684 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2684 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 1940 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 1940 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 3952 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 3952 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 3572 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 3572 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 4068 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 4068 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 4144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 4144 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 992 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 992 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3148 wrote to memory of 2592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 3148 wrote to memory of 2592 N/A C:\providercommon\DllCommonsvc.exe C:\Windows\System32\cmd.exe
PID 2592 wrote to memory of 3736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2592 wrote to memory of 3736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2592 wrote to memory of 4428 N/A C:\Windows\System32\cmd.exe C:\odt\services.exe
PID 2592 wrote to memory of 4428 N/A C:\Windows\System32\cmd.exe C:\odt\services.exe
PID 4428 wrote to memory of 768 N/A C:\odt\services.exe C:\Windows\System32\cmd.exe
PID 4428 wrote to memory of 768 N/A C:\odt\services.exe C:\Windows\System32\cmd.exe
PID 768 wrote to memory of 3408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 768 wrote to memory of 3408 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 768 wrote to memory of 1828 N/A C:\Windows\System32\cmd.exe C:\odt\services.exe
PID 768 wrote to memory of 1828 N/A C:\Windows\System32\cmd.exe C:\odt\services.exe
PID 1828 wrote to memory of 5088 N/A C:\odt\services.exe C:\Windows\System32\cmd.exe
PID 1828 wrote to memory of 5088 N/A C:\odt\services.exe C:\Windows\System32\cmd.exe
PID 5088 wrote to memory of 4756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5088 wrote to memory of 4756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 5088 wrote to memory of 4028 N/A C:\Windows\System32\cmd.exe C:\odt\services.exe
PID 5088 wrote to memory of 4028 N/A C:\Windows\System32\cmd.exe C:\odt\services.exe
PID 4028 wrote to memory of 2144 N/A C:\odt\services.exe C:\Windows\System32\cmd.exe
PID 4028 wrote to memory of 2144 N/A C:\odt\services.exe C:\Windows\System32\cmd.exe
PID 2144 wrote to memory of 64 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2144 wrote to memory of 64 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2144 wrote to memory of 4224 N/A C:\Windows\System32\cmd.exe C:\odt\services.exe
PID 2144 wrote to memory of 4224 N/A C:\Windows\System32\cmd.exe C:\odt\services.exe
PID 4224 wrote to memory of 3700 N/A C:\odt\services.exe C:\Windows\System32\cmd.exe
PID 4224 wrote to memory of 3700 N/A C:\odt\services.exe C:\Windows\System32\cmd.exe
PID 3700 wrote to memory of 992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3700 wrote to memory of 992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 3700 wrote to memory of 2544 N/A C:\Windows\System32\cmd.exe C:\odt\services.exe
PID 3700 wrote to memory of 2544 N/A C:\Windows\System32\cmd.exe C:\odt\services.exe
PID 2544 wrote to memory of 3556 N/A C:\odt\services.exe C:\Windows\System32\cmd.exe
PID 2544 wrote to memory of 3556 N/A C:\odt\services.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b.exe

"C:\Users\Admin\AppData\Local\Temp\afed5f5542d939ae14784a670319167d4a3e9d5a3d421443f7de8f473c42a74b.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "

C:\providercommon\DllCommonsvc.exe

"C:\providercommon\DllCommonsvc.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\odt\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\odt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\odt\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\PrintHood\ShellExperienceHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHost" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "ShellExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\ShellExperienceHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\odt\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\odt\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 14 /tr "'C:\providercommon\SearchUI.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 11 /tr "'C:\providercommon\SearchUI.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\odt\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\odt\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\System.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\en-US\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\en-US\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\ShellExperienceHost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchUI.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\RuntimeBroker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\en-US\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\System.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Multimedia Platform\fontdrvhost.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vn4jLRsnhP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\services.exe

"C:\odt\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\services.exe

"C:\odt\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\services.exe

"C:\odt\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\services.exe

"C:\odt\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\services.exe

"C:\odt\services.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"

C:\odt\services.exe

"C:\odt\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\services.exe

"C:\odt\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\services.exe

"C:\odt\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\services.exe

"C:\odt\services.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\odt\services.exe

"C:\odt\services.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"

C:\odt\services.exe

"C:\odt\services.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 20.189.173.14:443 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
NL 95.101.78.82:80 tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 185.199.108.133:443 raw.githubusercontent.com tcp

Files

memory/4372-116-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-118-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-117-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-122-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-121-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-119-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-124-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-127-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-126-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-125-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-128-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-129-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-130-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-131-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-132-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-133-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-134-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-135-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-137-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-136-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-138-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-139-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-140-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-141-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-142-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-143-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-144-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-145-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-146-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-147-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-148-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-149-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-150-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-151-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-152-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-153-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-155-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-158-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-159-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-160-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-161-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-162-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-157-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-156-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-154-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-163-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-164-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-165-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-168-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-167-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-170-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-169-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-166-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-171-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-173-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-172-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-174-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-175-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-176-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-177-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-178-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/1992-180-0x0000000000000000-mapping.dmp

memory/1992-182-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/1992-181-0x0000000077520000-0x00000000776AE000-memory.dmp

memory/4372-179-0x0000000077520000-0x00000000776AE000-memory.dmp

C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

MD5 8088241160261560a02c84025d107592
SHA1 083121f7027557570994c9fc211df61730455bb5
SHA256 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1
SHA512 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

memory/3044-256-0x0000000000000000-mapping.dmp

C:\providercommon\1zu9dW.bat

MD5 6783c3ee07c7d151ceac57f1f9c8bed7
SHA1 17468f98f95bf504cc1f83c49e49a78526b3ea03
SHA256 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322
SHA512 c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\providercommon\DllCommonsvc.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3148-279-0x0000000000000000-mapping.dmp

memory/3148-282-0x0000000000D10000-0x0000000000E20000-memory.dmp

memory/3148-283-0x0000000001340000-0x0000000001352000-memory.dmp

memory/3148-284-0x00000000014F0000-0x00000000014FC000-memory.dmp

memory/3148-285-0x00000000014D0000-0x00000000014DC000-memory.dmp

memory/3148-286-0x00000000014E0000-0x00000000014EC000-memory.dmp

memory/2296-289-0x0000000000000000-mapping.dmp

memory/2684-292-0x0000000000000000-mapping.dmp

memory/2940-291-0x0000000000000000-mapping.dmp

memory/992-305-0x0000000000000000-mapping.dmp

memory/4144-301-0x0000000000000000-mapping.dmp

memory/4068-298-0x0000000000000000-mapping.dmp

memory/3572-295-0x0000000000000000-mapping.dmp

memory/3952-294-0x0000000000000000-mapping.dmp

memory/1940-293-0x0000000000000000-mapping.dmp

memory/848-290-0x0000000000000000-mapping.dmp

memory/2932-288-0x0000000000000000-mapping.dmp

memory/4176-287-0x0000000000000000-mapping.dmp

memory/2932-359-0x000001BC2CD30000-0x000001BC2CD52000-memory.dmp

memory/2592-364-0x0000000000000000-mapping.dmp

memory/3952-397-0x000002659A3B0000-0x000002659A426000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vn4jLRsnhP.bat

MD5 4926edb8ed0d3a089fc65d7b1605ff28
SHA1 c04c38dcf0c5f9ff07933169df2b21075686b4bf
SHA256 bd3d51816ddba3bd99f62ba04d189252ee505ee65efd54b055b46edd9d615748
SHA512 2f31ab3a80e0ec1e75856c1bb594a19f942e900993869d3b46696503b6bed6925241d4252431ba3e28c951ca3276c63ffb4d2048500372275de9965b31b9692c

memory/3736-455-0x0000000000000000-mapping.dmp

memory/4428-697-0x0000000000000000-mapping.dmp

C:\odt\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\odt\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4428-700-0x0000000001050000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9bd0836a87c8bbaf84daf3c5bf80bb06
SHA1 da5262f8741142f59bb46179959f1215b822ea77
SHA256 74618af81b11b9de67d4ca044171be70789a252663f000bd3a37c2bf835e385d
SHA512 d33426cfb8dacf848501fbf011d644cc9eaafae3cdc3b264b07120cfe9bb7dbce179aebd2837b43f6986ef243882f4d799803ecc88a9a146586d11a50b384988

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ce0439191c9c9f05076833df33755c54
SHA1 8b17354831c6905c4b2f49b1904493991552338c
SHA256 f06bdf40868fcd08af4d52c932ba47f1a768cf6e0de3191f84edd838a28e5bbf
SHA512 48cfda97dce8bef6e2d6d6c752e4bd6f3876dc4d879564089db2842ade22ab84276389cccee6504cc347e8b08235f71b7e74dbc7743ac750debeb14028c0d167

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ce0439191c9c9f05076833df33755c54
SHA1 8b17354831c6905c4b2f49b1904493991552338c
SHA256 f06bdf40868fcd08af4d52c932ba47f1a768cf6e0de3191f84edd838a28e5bbf
SHA512 48cfda97dce8bef6e2d6d6c752e4bd6f3876dc4d879564089db2842ade22ab84276389cccee6504cc347e8b08235f71b7e74dbc7743ac750debeb14028c0d167

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 86626ddde5cf0e7b5a34521531fa79d5
SHA1 0201ea4b74e6f636d8611f76b331ac943fd110a5
SHA256 f79288656cc4582c8f2e5c125b2bf644e4e5233efadf82645be8a761e81b6f9b
SHA512 ec6533f7221d28397654762d3a4b9f5a06c788047cec7a818831dfcfb2e61bb0b1ebd68a3130b9b2fb7b80bfbbde66ae1ba0b15d700a0ce2127dc2c1df647819

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aab29239277b56bb1036457794112766
SHA1 44693e645f69cbdb999a586d681a450a3d4e66ab
SHA256 76eb5ef5589f510804669cdf81cb037dfe298cac99f890a7ee147c5c1f8ef8c1
SHA512 9e896217ef71805d66374e2abb1b42b087fb47f8125f0e64126e8b1c66f18bc860e18b04f8f021cc1bd2e8903318b2672199b058a75a20ae21ff527de29a7353

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 be2608aee4c8dfe7626666142cc35643
SHA1 b5e605d00ac9ac9f51317a6f97ffaf4e7d49565d
SHA256 5928f64a47234891ce8b9eeb9abccda6f9cc04a09ddee34d7c475f8c39f3e164
SHA512 6a39ccda01e60ca23b1c99da13175f5b9cdfaf4768625a80dd1d8f17cb80d77ad7ce9f4b2e07a0bd87283dae27f104b56237244350c8cdbff2a086d2468f5ab6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 be2608aee4c8dfe7626666142cc35643
SHA1 b5e605d00ac9ac9f51317a6f97ffaf4e7d49565d
SHA256 5928f64a47234891ce8b9eeb9abccda6f9cc04a09ddee34d7c475f8c39f3e164
SHA512 6a39ccda01e60ca23b1c99da13175f5b9cdfaf4768625a80dd1d8f17cb80d77ad7ce9f4b2e07a0bd87283dae27f104b56237244350c8cdbff2a086d2468f5ab6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a7b0146514eff49e22022b99ce3cb4e
SHA1 f2d880c3fa6ff38e79581dd03948caab86cc86c3
SHA256 41b4d1a6405eb9156b0233a7a0fd775fd57d996a70d11605aef9f0d3c60abd1e
SHA512 6d2807b9de12f726701bbfb80a8cd83ddf2279b3c1bce6f25d0faff72baa4a67383c63faa778feea8cc3a65d33967634a8e83b9c2ec8a3ff729062fe90a94a9e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e9cdd8c7201334fd30fa112022adbcfb
SHA1 dcf33b75476d2d3ff98509029b62946fdfcf74f8
SHA256 4e25700d9b3a9c17780645adeed2022afd6ebd8cfdf17374a5536ed73f38185b
SHA512 88b9542251499d7ffbf24e8ad3659704642e1cddc549f3cd435d01049bd6c21d3f5961338625b60c2fabf7e4c552611c1e5da6cee77f48bd52373fca09c875ea

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a7b0146514eff49e22022b99ce3cb4e
SHA1 f2d880c3fa6ff38e79581dd03948caab86cc86c3
SHA256 41b4d1a6405eb9156b0233a7a0fd775fd57d996a70d11605aef9f0d3c60abd1e
SHA512 6d2807b9de12f726701bbfb80a8cd83ddf2279b3c1bce6f25d0faff72baa4a67383c63faa778feea8cc3a65d33967634a8e83b9c2ec8a3ff729062fe90a94a9e

memory/768-748-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

MD5 a4859afaf94ca147f8a14730d355e95c
SHA1 6eef40ec5465db96d5513f093875e1a951fdc3b7
SHA256 e07aaa337ab63c9c4e806ae127a6e2006a2acce7ff886a815196ef887c5c00d2
SHA512 708ca153e45c97a72596f1f302d4864cf38300581122a4cfe6824af84c5635c2c39d47900f4877284872d51f3a45d1461a08198ddf1a8a986abb771a4c3203e1

memory/3408-750-0x0000000000000000-mapping.dmp

memory/1828-751-0x0000000000000000-mapping.dmp

C:\odt\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

MD5 d63ff49d7c92016feb39812e4db10419
SHA1 2307d5e35ca9864ffefc93acf8573ea995ba189b
SHA256 375076241775962f3edc08a8c72832a00920b427a4f3332528d91d21e909fa12
SHA512 00f8c8d0336d6575b956876183199624d6f4d2056f2c0aa633a6f17c516f22ee648062d9bc419254d84c459323e9424f0da8aed9dd4e16c2926e5ba30e797d8a

memory/1828-754-0x0000000000780000-0x0000000000792000-memory.dmp

memory/5088-755-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

MD5 5acc65e7ba9f51625e59deee94c06c56
SHA1 61185dea71acc6af536644daaa1f7e2424ba02c5
SHA256 d21e6663fa02b570179cd45b42c938bacd85ee56d66777f07a4572ba81e4a36a
SHA512 4e6734a1ed948a834212b8b21a46930c5fd7d76f894625d8ad860fd43ac6c5db09f37e545368e75ad7b3a209bf4afacce6b39b8ecc7c059763193935ad517a82

memory/4756-757-0x0000000000000000-mapping.dmp

memory/4028-758-0x0000000000000000-mapping.dmp

C:\odt\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4028-760-0x0000000000D80000-0x0000000000D92000-memory.dmp

memory/2144-761-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

MD5 58ce0bd09c60a0eead17d2d131ba9606
SHA1 954f214f23dfe9370f5130489b31821946e03bb4
SHA256 ecc3657b0fbcde753b17e685d8d19ace48ac026b7371ca68308937d8fc08a04e
SHA512 f56e72e284506870f4e5dce87274a7cb41571e29a2b55d0c0c66300407734769d56dde5277a292574b676739d6288449fc11f075c3b8ec19a1ffd88fd0f5fe76

memory/64-763-0x0000000000000000-mapping.dmp

memory/4224-764-0x0000000000000000-mapping.dmp

C:\odt\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/3700-766-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat

MD5 d21ec4d0780985a26a490012d5e21316
SHA1 bd2970eba86844dc126a5520968c66eaaf95b7c3
SHA256 52903157b507a26a62709c86cdcf0e8d7b173ad002e363016eb4fb6abb1d3afa
SHA512 ca53c3427a4561b6158256afcfd45a6c73c340d3c6c50b2d6e38e3bec07e773ecb8f31af62fe92f23098905fe742ddee2a73a77cb080042ea0785b2d98303c06

memory/992-768-0x0000000000000000-mapping.dmp

memory/2544-769-0x0000000000000000-mapping.dmp

C:\odt\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4148-773-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

MD5 bbd4d97f3eeb6ed4b237e02bddb245af
SHA1 edd6232f8714ca8dd12a9649d6786f3d7b68fc4e
SHA256 fab4ca6af500bb72cc0d3bcc44bbfed9719bc8f20041504785f9d7f3ff6f3488
SHA512 0891e8a8748064575bf13ea5d9a02e85a09f468572c328fb7b37551c17826bb57eb3efe482912029c30bd937128216afa3e014e04c5a22b539d64a3867abac94

memory/3556-771-0x0000000000000000-mapping.dmp

memory/4480-774-0x0000000000000000-mapping.dmp

C:\odt\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4480-776-0x00000000015F0000-0x0000000001602000-memory.dmp

memory/1116-777-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

MD5 e3e9ee764b296cfa923d95ad51fbc65d
SHA1 f22a245488fb2ed7ccd2706dfc3c5385b39dfb3b
SHA256 da5237e50a21b6c4c39a4c2f3e73ecd908fa6d89f30e607459d8dcfd849f309f
SHA512 a3b2a37dd9f28c11ee583763dfd60d6c6e58bfd15549b4b068d300ef7bee6245c4a8e15bfdc22ed52113cdb4ef8a182c17c1d02ac962e27d50a2506735a6ce31

memory/4660-779-0x0000000000000000-mapping.dmp

memory/5024-780-0x0000000000000000-mapping.dmp

C:\odt\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5024-782-0x0000000000A60000-0x0000000000A72000-memory.dmp

memory/4020-783-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

MD5 084f45a36d703a2074f98cd5607ff4bf
SHA1 b2d3c120fe9f6c9ad0b36ae185eb09b243db3914
SHA256 fee39e3ffa9185edab91d7df564eb8c265d2a3bc63e1ad069fe53816ff521154
SHA512 a1b887f3c63a824140db5fb1436eec4b79c0967f85a676aec049164ca0533c801edb6a2950f4e5cd2ee8878004a420b40a80656eded6ebbc3947f381b55ab6ad

memory/1456-785-0x0000000000000000-mapping.dmp

C:\odt\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/1576-786-0x0000000000000000-mapping.dmp

memory/1996-788-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat

MD5 1082bd2b7ca8fd1e3c704c2534796b0b
SHA1 c74017d79c69648afaa98d0b27cf54b7e01f524e
SHA256 5d24e6dc2301545d7c227dbb130f041ea6970baff9298d7748a355774b285dd7
SHA512 0bce141cb09e2bc2f03b0e6c4f105ef0fccdc5d1f610967f8989a37e0064b5eb32cc02cdab199a59550b36e860225c0ab5b5fb42cd6e3bb20dce9b3964fd6979

memory/4060-790-0x0000000000000000-mapping.dmp

memory/2932-791-0x0000000000000000-mapping.dmp

C:\odt\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/4048-793-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

MD5 483290a74af0d433ba85881ec0fae278
SHA1 6fd6573b49696d43b81794fb7e1aff46beaa5b1f
SHA256 ef1d71fbfb78b585b004864034e8bee5b10137338480e3aec2c27cf1aff6afe4
SHA512 a187941b41ec9495d931cd54131fad192c7537120392ee7d19f674295f4101e69cf820f2d1f1ca847212c485856c9ebdd32d38beb7b98c3a8281c5f092702d54

memory/740-795-0x0000000000000000-mapping.dmp

memory/4044-796-0x0000000000000000-mapping.dmp

C:\odt\services.exe

MD5 bd31e94b4143c4ce49c17d3af46bcad0
SHA1 f8c51ff3ff909531d9469d4ba1bbabae101853ff
SHA256 b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63
SHA512 f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

memory/5008-800-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat

MD5 3657598d61bdfcb9d1e2db57c5f6fd48
SHA1 f8ef8b88f4b15ea5d1cb1609d94ff329049ccb24
SHA256 7fd2f04638d538990517a9c739332468d6195889a77ef0dc660bf29cc881f302
SHA512 95aee0084f493850e1b4a1d553e8bc8f5df06f6b113f59fb7f465ffd67ef992e6bd66525fb5715033fc8dea031985e031707487b9ac153d2300348441268fe07

memory/2436-798-0x0000000000000000-mapping.dmp

C:\odt\services.exe

MD5 887fe6ed44d18d2e5e67d8b7e077faa5
SHA1 c52d0450b3a9034838c2a365d50f1b664b86c5bb
SHA256 0703dd0a856000ba62cfe5db142e920859f42aa245547b5b58bba2e80a5c5566
SHA512 e444d1df6ff80fe1d611d5dba9523c78746d09ca0c4da8e48a9b3f692558caacbc725c79e7eca1c71e1630a8f547cc6abe76058ae222c9f92862cf7ed2bfcb57

memory/164-801-0x0000000000000000-mapping.dmp