dcrat | fa42b1a6e0cb223bb4f4b570b71117eb74f84481c2a95ed58fb35270343b66bd

Analysis

max time kernel
144s
max time network
140s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01/11/2022, 05:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fa42b1a6e0cb223bb4f4b570b71117eb74f84481c2a95ed58fb35270343b66bd.exe
Size

1.3MB
MD5

ac283f6a2cfc2eeb7a6db23070d70bb3
SHA1

ce0ca6cdd1f4d2103e9d135cb0db4be252c0acc3
SHA256

fa42b1a6e0cb223bb4f4b570b71117eb74f84481c2a95ed58fb35270343b66bd
SHA512

0882be97c958316be38b3307ee71c9545c8dec8cff74543408267fa59663fa263be159b1c0b78ba8ee69f10b75b71117d55de41b0666b30e66f9d25dd3e68858
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4220	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4152	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	3920	schtasks.exe	70
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	3920	schtasks.exe	70

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001ac26-284.dat	dcrat
behavioral1/files/0x000800000001ac26-285.dat	dcrat
behavioral1/memory/4228-286-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/files/0x000600000001ac33-312.dat	dcrat
behavioral1/files/0x000600000001ac33-311.dat	dcrat
behavioral1/files/0x000600000001ac33-520.dat	dcrat
behavioral1/files/0x000600000001ac33-526.dat	dcrat
behavioral1/files/0x000600000001ac33-531.dat	dcrat
behavioral1/files/0x000600000001ac33-536.dat	dcrat
behavioral1/files/0x000600000001ac33-541.dat	dcrat
behavioral1/files/0x000600000001ac33-546.dat	dcrat
behavioral1/files/0x000600000001ac33-552.dat	dcrat
behavioral1/files/0x000600000001ac33-557.dat	dcrat
behavioral1/files/0x000600000001ac33-563.dat	dcrat
behavioral1/files/0x000600000001ac33-568.dat	dcrat

Executes dropped EXE 12 IoCs

pid	Process
4228	DllCommonsvc.exe
3348	DllCommonsvc.exe
4252	DllCommonsvc.exe
4684	DllCommonsvc.exe
3792	DllCommonsvc.exe
4488	DllCommonsvc.exe
5004	DllCommonsvc.exe
5020	DllCommonsvc.exe
728	DllCommonsvc.exe
4752	DllCommonsvc.exe
4184	DllCommonsvc.exe
2364	DllCommonsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\en-US\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\5b884080fd4f94	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4992	schtasks.exe
4968	schtasks.exe
5040	schtasks.exe
4772	schtasks.exe
3380	schtasks.exe
4144	schtasks.exe
4752	schtasks.exe
3376	schtasks.exe
4740	schtasks.exe
4152	schtasks.exe
4168	schtasks.exe
4208	schtasks.exe
4924	schtasks.exe
3028	schtasks.exe
5044	schtasks.exe
1372	schtasks.exe
3640	schtasks.exe
4220	schtasks.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	fa42b1a6e0cb223bb4f4b570b71117eb74f84481c2a95ed58fb35270343b66bd.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2482096546-1136599444-1359412500-1000_Classes\Local Settings	DllCommonsvc.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
4228	DllCommonsvc.exe
4120	powershell.exe
2032	powershell.exe
4180	powershell.exe
3216	powershell.exe
1416	powershell.exe
4120	powershell.exe
60	powershell.exe
2032	powershell.exe
1456	powershell.exe
3216	powershell.exe
1416	powershell.exe
3348	DllCommonsvc.exe
3216	powershell.exe
4120	powershell.exe
2032	powershell.exe
1416	powershell.exe
4180	powershell.exe
60	powershell.exe
1456	powershell.exe
4180	powershell.exe
60	powershell.exe
1456	powershell.exe
4252	DllCommonsvc.exe
4684	DllCommonsvc.exe
3792	DllCommonsvc.exe
4488	DllCommonsvc.exe
5004	DllCommonsvc.exe
5020	DllCommonsvc.exe
728	DllCommonsvc.exe
4752	DllCommonsvc.exe
4184	DllCommonsvc.exe
2364	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4228	DllCommonsvc.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	3348	DllCommonsvc.exe
Token: SeDebugPrivilege	60	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeIncreaseQuotaPrivilege	4120	powershell.exe
Token: SeSecurityPrivilege	4120	powershell.exe
Token: SeTakeOwnershipPrivilege	4120	powershell.exe
Token: SeLoadDriverPrivilege	4120	powershell.exe
Token: SeSystemProfilePrivilege	4120	powershell.exe
Token: SeSystemtimePrivilege	4120	powershell.exe
Token: SeProfSingleProcessPrivilege	4120	powershell.exe
Token: SeIncBasePriorityPrivilege	4120	powershell.exe
Token: SeCreatePagefilePrivilege	4120	powershell.exe
Token: SeBackupPrivilege	4120	powershell.exe
Token: SeRestorePrivilege	4120	powershell.exe
Token: SeShutdownPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeSystemEnvironmentPrivilege	4120	powershell.exe
Token: SeRemoteShutdownPrivilege	4120	powershell.exe
Token: SeUndockPrivilege	4120	powershell.exe
Token: SeManageVolumePrivilege	4120	powershell.exe
Token: 33	4120	powershell.exe
Token: 34	4120	powershell.exe
Token: 35	4120	powershell.exe
Token: 36	4120	powershell.exe
Token: SeIncreaseQuotaPrivilege	2032	powershell.exe
Token: SeSecurityPrivilege	2032	powershell.exe
Token: SeTakeOwnershipPrivilege	2032	powershell.exe
Token: SeLoadDriverPrivilege	2032	powershell.exe
Token: SeSystemProfilePrivilege	2032	powershell.exe
Token: SeSystemtimePrivilege	2032	powershell.exe
Token: SeProfSingleProcessPrivilege	2032	powershell.exe
Token: SeIncBasePriorityPrivilege	2032	powershell.exe
Token: SeCreatePagefilePrivilege	2032	powershell.exe
Token: SeBackupPrivilege	2032	powershell.exe
Token: SeRestorePrivilege	2032	powershell.exe
Token: SeShutdownPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeSystemEnvironmentPrivilege	2032	powershell.exe
Token: SeRemoteShutdownPrivilege	2032	powershell.exe
Token: SeUndockPrivilege	2032	powershell.exe
Token: SeManageVolumePrivilege	2032	powershell.exe
Token: 33	2032	powershell.exe
Token: 34	2032	powershell.exe
Token: 35	2032	powershell.exe
Token: 36	2032	powershell.exe
Token: SeIncreaseQuotaPrivilege	3216	powershell.exe
Token: SeSecurityPrivilege	3216	powershell.exe
Token: SeTakeOwnershipPrivilege	3216	powershell.exe
Token: SeLoadDriverPrivilege	3216	powershell.exe
Token: SeSystemProfilePrivilege	3216	powershell.exe
Token: SeSystemtimePrivilege	3216	powershell.exe
Token: SeProfSingleProcessPrivilege	3216	powershell.exe
Token: SeIncBasePriorityPrivilege	3216	powershell.exe
Token: SeCreatePagefilePrivilege	3216	powershell.exe
Token: SeBackupPrivilege	3216	powershell.exe
Token: SeRestorePrivilege	3216	powershell.exe
Token: SeShutdownPrivilege	3216	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 536	2580	fa42b1a6e0cb223bb4f4b570b71117eb74f84481c2a95ed58fb35270343b66bd.exe	66
PID 2580 wrote to memory of 536	2580	fa42b1a6e0cb223bb4f4b570b71117eb74f84481c2a95ed58fb35270343b66bd.exe	66
PID 2580 wrote to memory of 536	2580	fa42b1a6e0cb223bb4f4b570b71117eb74f84481c2a95ed58fb35270343b66bd.exe	66
PID 536 wrote to memory of 4392	536	WScript.exe	67
PID 536 wrote to memory of 4392	536	WScript.exe	67
PID 536 wrote to memory of 4392	536	WScript.exe	67
PID 4392 wrote to memory of 4228	4392	cmd.exe	69
PID 4392 wrote to memory of 4228	4392	cmd.exe	69
PID 4228 wrote to memory of 2032	4228	DllCommonsvc.exe	89
PID 4228 wrote to memory of 2032	4228	DllCommonsvc.exe	89
PID 4228 wrote to memory of 4180	4228	DllCommonsvc.exe	91
PID 4228 wrote to memory of 4180	4228	DllCommonsvc.exe	91
PID 4228 wrote to memory of 4120	4228	DllCommonsvc.exe	94
PID 4228 wrote to memory of 4120	4228	DllCommonsvc.exe	94
PID 4228 wrote to memory of 3216	4228	DllCommonsvc.exe	93
PID 4228 wrote to memory of 3216	4228	DllCommonsvc.exe	93
PID 4228 wrote to memory of 60	4228	DllCommonsvc.exe	95
PID 4228 wrote to memory of 60	4228	DllCommonsvc.exe	95
PID 4228 wrote to memory of 1416	4228	DllCommonsvc.exe	96
PID 4228 wrote to memory of 1416	4228	DllCommonsvc.exe	96
PID 4228 wrote to memory of 1456	4228	DllCommonsvc.exe	97
PID 4228 wrote to memory of 1456	4228	DllCommonsvc.exe	97
PID 4228 wrote to memory of 3348	4228	DllCommonsvc.exe	103
PID 4228 wrote to memory of 3348	4228	DllCommonsvc.exe	103
PID 3348 wrote to memory of 5012	3348	DllCommonsvc.exe	105
PID 3348 wrote to memory of 5012	3348	DllCommonsvc.exe	105
PID 5012 wrote to memory of 404	5012	cmd.exe	107
PID 5012 wrote to memory of 404	5012	cmd.exe	107
PID 5012 wrote to memory of 4252	5012	cmd.exe	108
PID 5012 wrote to memory of 4252	5012	cmd.exe	108
PID 4252 wrote to memory of 4720	4252	DllCommonsvc.exe	109
PID 4252 wrote to memory of 4720	4252	DllCommonsvc.exe	109
PID 4720 wrote to memory of 4672	4720	cmd.exe	111
PID 4720 wrote to memory of 4672	4720	cmd.exe	111
PID 4720 wrote to memory of 4684	4720	cmd.exe	112
PID 4720 wrote to memory of 4684	4720	cmd.exe	112
PID 4684 wrote to memory of 2884	4684	DllCommonsvc.exe	113
PID 4684 wrote to memory of 2884	4684	DllCommonsvc.exe	113
PID 2884 wrote to memory of 4628	2884	cmd.exe	115
PID 2884 wrote to memory of 4628	2884	cmd.exe	115
PID 2884 wrote to memory of 3792	2884	cmd.exe	116
PID 2884 wrote to memory of 3792	2884	cmd.exe	116
PID 3792 wrote to memory of 536	3792	DllCommonsvc.exe	117
PID 3792 wrote to memory of 536	3792	DllCommonsvc.exe	117
PID 536 wrote to memory of 4924	536	cmd.exe	119
PID 536 wrote to memory of 4924	536	cmd.exe	119
PID 536 wrote to memory of 4488	536	cmd.exe	120
PID 536 wrote to memory of 4488	536	cmd.exe	120
PID 4488 wrote to memory of 4796	4488	DllCommonsvc.exe	121
PID 4488 wrote to memory of 4796	4488	DllCommonsvc.exe	121
PID 4796 wrote to memory of 1012	4796	cmd.exe	123
PID 4796 wrote to memory of 1012	4796	cmd.exe	123
PID 4796 wrote to memory of 5004	4796	cmd.exe	124
PID 4796 wrote to memory of 5004	4796	cmd.exe	124
PID 5004 wrote to memory of 3348	5004	DllCommonsvc.exe	125
PID 5004 wrote to memory of 3348	5004	DllCommonsvc.exe	125
PID 3348 wrote to memory of 4264	3348	cmd.exe	127
PID 3348 wrote to memory of 4264	3348	cmd.exe	127
PID 3348 wrote to memory of 5020	3348	cmd.exe	128
PID 3348 wrote to memory of 5020	3348	cmd.exe	128
PID 5020 wrote to memory of 4224	5020	DllCommonsvc.exe	129
PID 5020 wrote to memory of 4224	5020	DllCommonsvc.exe	129
PID 4224 wrote to memory of 204	4224	cmd.exe	131
PID 4224 wrote to memory of 204	4224	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\fa42b1a6e0cb223bb4f4b570b71117eb74f84481c2a95ed58fb35270343b66bd.exe
"C:\Users\Admin\AppData\Local\Temp\fa42b1a6e0cb223bb4f4b570b71117eb74f84481c2a95ed58fb35270343b66bd.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4392
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\lsass.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\spoolsv.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\OfficeClickToRun.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\fontdrvhost.exe'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe
        
        "C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3348
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:404
        
        C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe
        
        "C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4672
        
        C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe
        
        "C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4628
        
        C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe
        
        "C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:4924
        
        C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe
        
        "C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1012
        
        C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe
        
        "C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4264
        
        C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe
        
        "C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:204
        
        C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe
        
        "C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"
        20⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3220
        
        C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe
        
        "C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"
        22⤵
        
        PID:820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1088
        
        C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe
        
        "C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"
        24⤵
        
        PID:620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:404
        
        C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe
        
        "C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\odt\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\odt\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Downloads\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Public\Downloads\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Downloads\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\en-US\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\en-US\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
b4268d8ae66fdd920476b97a1776bf85

SHA1
f920de54f7467f0970eccc053d3c6c8dd181d49a

SHA256
61d17affcc8d91ecb1858e710c455186f9d0ccfc4d8ae17a1145d87bc7317879

SHA512
03b6b90641837f9efb6065698602220d6c5ad263d51d7b7714747c2a3c3c618bd3d94add206b034d6fa2b8e43cbd1ac4a1741cfa1c2b1c1fc8589ae0b0c89516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c4a2ab697d76df9024e3fe6a8948b95d

SHA1
759fe12cef5ff7081cc820b17441e845d669896f

SHA256
79b858507f5b8a12f00fc5b6a73fbd03518904bb5346b099cf37ba9e949bc6ed

SHA512
310c8e01edb1cfd7fd454d4e7a44c4022e0ad49a5c114126f04b4e5dd2a951f98ba0d64942b67219b96f0827210fe11a8ec488e3a7672aaeb29c40fa08adb41f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c4a2ab697d76df9024e3fe6a8948b95d

SHA1
759fe12cef5ff7081cc820b17441e845d669896f

SHA256
79b858507f5b8a12f00fc5b6a73fbd03518904bb5346b099cf37ba9e949bc6ed

SHA512
310c8e01edb1cfd7fd454d4e7a44c4022e0ad49a5c114126f04b4e5dd2a951f98ba0d64942b67219b96f0827210fe11a8ec488e3a7672aaeb29c40fa08adb41f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bce22f3249adef446b596ec2da8cd6c6

SHA1
7af5f2c1c554c2659426dec0e1fafc8b8d5fb321

SHA256
ff7369b744ee394bb4a0b448512cb542600e70ec3e35be684d9566f9caec55f5

SHA512
0dcef7cb51d9afbdd6d6ca51d1493f928484246c059bbeb7de091f5363f5d08ce9d69173ecce4c6d3315d9b2f9da0a3241a4971ba2d4bb4d52c20a1a137d40fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bce22f3249adef446b596ec2da8cd6c6

SHA1
7af5f2c1c554c2659426dec0e1fafc8b8d5fb321

SHA256
ff7369b744ee394bb4a0b448512cb542600e70ec3e35be684d9566f9caec55f5

SHA512
0dcef7cb51d9afbdd6d6ca51d1493f928484246c059bbeb7de091f5363f5d08ce9d69173ecce4c6d3315d9b2f9da0a3241a4971ba2d4bb4d52c20a1a137d40fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bce22f3249adef446b596ec2da8cd6c6

SHA1
7af5f2c1c554c2659426dec0e1fafc8b8d5fb321

SHA256
ff7369b744ee394bb4a0b448512cb542600e70ec3e35be684d9566f9caec55f5

SHA512
0dcef7cb51d9afbdd6d6ca51d1493f928484246c059bbeb7de091f5363f5d08ce9d69173ecce4c6d3315d9b2f9da0a3241a4971ba2d4bb4d52c20a1a137d40fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat

Filesize
229B

MD5
c4f1b3095d9b04423cb13279254b77b6

SHA1
59a5b29a9d1335f62d51b52e8c9b5a5a0a0b7ad9

SHA256
ed9bd4d711cf4f2677dd2885a813f7a6da6be401a5fbe85973fb32a069e66d65

SHA512
b630b21d033e55a5579a77b3c66d5279ba2b14e94bede624b7594a39c1df2f79ff1d0e068ae9bfc3b370d4ceffa7f8c5125128464019893758779b1503d610c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

Filesize
229B

MD5
5073926f9be13cde611e95f4fd98ef3a

SHA1
352cb1b2977fc488991e5411e5c892c2cc89d114

SHA256
ddb1833fbf8866f1bcf24b3376759e9eefdfa80242191542c24db7f7b4eb340f

SHA512
3745d778ec624cb9ad3554b14e1a235afea5fbf74725616907b71768f5b5b86f80edaa9e2b2e8f3571228bc209ec217c001adc38fa640f374bce186669609cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat

Filesize
229B

MD5
1454d16a47deae0197a9c120571f91de

SHA1
67376de55dfb281a51912550e7d2cf87bb1e127f

SHA256
c9e12451e80f704c08235807bb0bd644c1dfa59292720a2783d1709897714517

SHA512
86ee28d439122e3927949c327157e0f95760ebe4720e4854eea3f892ff4a0c0b2dff222e240dd4bede3e8db1d02d89cf7d6dda922bee362b70ea7fef85fec4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat

Filesize
229B

MD5
49ad10bb24bf0ebcb6724fa224655a8d

SHA1
30750408ed2e992d6e93e0c0c7be1e01af7b94be

SHA256
561c96dca535d8dc5a7ed9e03f47578a424a27d51db3c1158f558e29d8a3c289

SHA512
64ad0a660f1479d0028e6e44735c2d702a69d1ed377c187e626f060720c400688d7c2613b444ae7772faae004e9a6217e0e239c35d8e279d08a2b1775cac68dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat

Filesize
229B

MD5
86c5856cf9799b1f5f18258b4b63fdd9

SHA1
0b537d86e7850ef8546b05fd125211f461d019f7

SHA256
f8c12d2a197d94f3680b857ddcf78790dd659ed1736767db3354511b0ee0e78e

SHA512
ad17de82bbb4272cb2bd77376648300d4e38dee3238f15ffd9ad00a012b9bd8b009dd1281997452d368c47edca98bfeec58b3ee5524d5751032157cd8ca432cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat

Filesize
229B

MD5
3a6a46ed4675c80a6ac43f6201aace96

SHA1
0b6a32e52b7f3f6f76405840921708205b3c6c50

SHA256
07e214a3c01e065c2e743e0280b9c6ca75ed1e0770d99db3c579590fcbf00452

SHA512
060893e837b93916dfec6acd7c165732aec78c1ac761762020887c3d90858426da140566cfb984305b24d7731dfeda46f3649758c8df541864dc4f888a6fe507

Download Submit
C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat

Filesize
229B

MD5
6b0192a3769e8367272869532846cd49

SHA1
3c0aa389c9722a3f3b30cc49af966bd1829c40ac

SHA256
92bc0e809eb734f51358bdcf23d189d6f59c9fd339a07b03953b6eed6ae684d9

SHA512
87f6aee7ff0890bba7166210e7a74198a73bb236cd37975685b644fb25ca41c47afd57e326346802d1a6962d4e62a216c114134936648a55741b8e7c80bb0213

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat

Filesize
229B

MD5
e6e28ba7ac3d80ea32742fe6885f26b9

SHA1
2d9e35778dd2d2b8eb02ea7933727ebf8ae0c90c

SHA256
2b03744f651a5768f4f4141a4564ba946090516644c5d9cde3d6fe243d6f97d9

SHA512
4f0fd54f5303bfd45d66f590e9422722210d8619dd230001b07cdf7c5b652dcac1fcda469c9881221ec414b9159f95039c0ea4debfeeb2d1af6833a26220c6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat

Filesize
229B

MD5
e6e28ba7ac3d80ea32742fe6885f26b9

SHA1
2d9e35778dd2d2b8eb02ea7933727ebf8ae0c90c

SHA256
2b03744f651a5768f4f4141a4564ba946090516644c5d9cde3d6fe243d6f97d9

SHA512
4f0fd54f5303bfd45d66f590e9422722210d8619dd230001b07cdf7c5b652dcac1fcda469c9881221ec414b9159f95039c0ea4debfeeb2d1af6833a26220c6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat

Filesize
229B

MD5
57956189d8f89ca45e582588cfbab8f4

SHA1
07f4bed68d6412342a989e9aa29dbd5602967c71

SHA256
f641a6106785a69d59bf5fd151771a3ce4c66d9ca8173859acdbf636db0cc4ab

SHA512
9f2eeb5031ebbb40c2c0019a297b3dbfa1d9ee45e01826a3098f5760a934883b50383d3d696aa2af9033c9a3ec61086c9000c623a1fb20ef850b7ec2114e3b9d

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/536-186-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/536-185-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2364-569-0x0000000001080000-0x0000000001092000-memory.dmp

Filesize
72KB

Download
memory/2580-159-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-146-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-176-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-177-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-178-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-179-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-180-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-181-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-182-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-183-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-174-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-172-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-173-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-171-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-170-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-121-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-136-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-169-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-168-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-137-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-138-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-139-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-134-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-140-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-167-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-133-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-141-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-166-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-165-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-142-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-164-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-132-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-162-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-163-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-161-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-143-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-144-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-131-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-122-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-160-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-120-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-158-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-157-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-156-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-155-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-152-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-154-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-123-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-153-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-175-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-125-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-151-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-126-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-128-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-147-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-145-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-129-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-150-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-130-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-149-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-148-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/2580-135-0x0000000077710000-0x000000007789E000-memory.dmp

Filesize
1.6MB

Download
memory/3348-331-0x0000000000FA0000-0x0000000000FB2000-memory.dmp

Filesize
72KB

Download
memory/4120-337-0x000001F7ED8B0000-0x000001F7ED926000-memory.dmp

Filesize
472KB

Download
memory/4120-330-0x000001F7ED570000-0x000001F7ED592000-memory.dmp

Filesize
136KB

Download
memory/4228-290-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

Filesize
48KB

Download
memory/4228-289-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

Filesize
48KB

Download
memory/4228-288-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/4228-287-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/4228-286-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/4252-521-0x00000000008F0000-0x0000000000902000-memory.dmp

Filesize
72KB

Download
memory/4752-558-0x0000000000890000-0x00000000008A2000-memory.dmp

Filesize
72KB

Download
memory/5020-547-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download