dcrat | 8d4b33f016a0358ab33a61a53be27b775979a15719e2168d66bae6a7a598d2e1

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc027f345eec8bb836216b98c2a013df.exe
Size

885KB
MD5

cc027f345eec8bb836216b98c2a013df
SHA1

f13c3e0e7c6d7938dfb97fb19a55cc47424b174e
SHA256

00bc028b5d4f9cdadf18888944bf27281bfe3299b051f9e4f20f129f5f45b400
SHA512

4740c0d83f273b50ccfd0a5a1b53a66782d9b811ce323b010a915ca78d6e844ed94b75e57eb8d97b06b1848679fa9ee5abc3b24e97fff8292050c1726449a2b6
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4584	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4664	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4800	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5892	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5764	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5320	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6120	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3556	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4972	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5008	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5164	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5488	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3332	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5696	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6108	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4340	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2392	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2392	schtasks.exe	88

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral24/memory/5800-1-0x0000000000690000-0x0000000000774000-memory.dmp	dcrat
behavioral24/files/0x0007000000024278-19.dat	dcrat
behavioral24/files/0x000f00000002406e-218.dat	dcrat

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	cc027f345eec8bb836216b98c2a013df.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 16 IoCs

pid	Process
3644	RuntimeBroker.exe
5112	RuntimeBroker.exe
4980	RuntimeBroker.exe
5696	RuntimeBroker.exe
5576	RuntimeBroker.exe
6076	RuntimeBroker.exe
3396	RuntimeBroker.exe
468	RuntimeBroker.exe
5164	RuntimeBroker.exe
4540	RuntimeBroker.exe
3200	RuntimeBroker.exe
2468	RuntimeBroker.exe
1952	RuntimeBroker.exe
5016	RuntimeBroker.exe
1228	RuntimeBroker.exe
2512	RuntimeBroker.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\RCX782B.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX7860.tmp	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\Windows Media Player\de-DE\5b884080fd4f94	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\edge_BITS_4548_1148497934\smss.exe	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files (x86)\Google\Update\wininit.exe	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\Microsoft Office\Office16\ee2ad38f3d4382	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\Uninstall Information\cc11b995f2a76d	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\RCX7767.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\edge_BITS_4548_1148497934\RCX77D0.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX77E2.tmp	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\Windows Media Player\de-DE\fontdrvhost.exe	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\55b276f4edf653	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\Windows Media Player\de-DE\RCX7766.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX77F4.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\RCX783E.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\RCX784E.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX784F.tmp	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\edge_BITS_4548_1148497934\69ddcba757bf72	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files (x86)\Google\Update\56085415360792	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\5940a34987c991	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\Uninstall Information\winlogon.exe	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCX77E3.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\RCX782A.tmp	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Program Files\Microsoft Office\Office16\Registry.exe	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files\edge_BITS_4548_1148497934\RCX77D1.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCX77F3.tmp	cc027f345eec8bb836216b98c2a013df.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\RCX77AC.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Windows\InputMethod\CHT\RCX783C.tmp	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Windows\InputMethod\CHT\RCX783D.tmp	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\unsecapp.exe	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Windows\Speech_OneCore\Engines\SR\29c1c3cc0f7685	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Windows\InputMethod\CHT\spoolsv.exe	cc027f345eec8bb836216b98c2a013df.exe
File created	C:\Windows\InputMethod\CHT\f3b6ecef712a24	cc027f345eec8bb836216b98c2a013df.exe
File opened for modification	C:\Windows\Speech_OneCore\Engines\SR\RCX779B.tmp	cc027f345eec8bb836216b98c2a013df.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	cc027f345eec8bb836216b98c2a013df.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000_Classes\Local Settings	RuntimeBroker.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4764	schtasks.exe
2812	schtasks.exe
5696	schtasks.exe
2156	schtasks.exe
4584	schtasks.exe
4616	schtasks.exe
4792	schtasks.exe
4736	schtasks.exe
3556	schtasks.exe
4752	schtasks.exe
3332	schtasks.exe
4820	schtasks.exe
4800	schtasks.exe
5764	schtasks.exe
1228	schtasks.exe
5020	schtasks.exe
5008	schtasks.exe
1752	schtasks.exe
6108	schtasks.exe
980	schtasks.exe
4664	schtasks.exe
4776	schtasks.exe
3720	schtasks.exe
396	schtasks.exe
2140	schtasks.exe
1296	schtasks.exe
4656	schtasks.exe
5320	schtasks.exe
6120	schtasks.exe
668	schtasks.exe
4936	schtasks.exe
4980	schtasks.exe
3728	schtasks.exe
4904	schtasks.exe
4872	schtasks.exe
3312	schtasks.exe
4460	schtasks.exe
1188	schtasks.exe
4340	schtasks.exe
3048	schtasks.exe
1556	schtasks.exe
1408	schtasks.exe
5164	schtasks.exe
5488	schtasks.exe
4632	schtasks.exe
5892	schtasks.exe
4912	schtasks.exe
2052	schtasks.exe
2904	schtasks.exe
4972	schtasks.exe
1432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
5800	cc027f345eec8bb836216b98c2a013df.exe
5800	cc027f345eec8bb836216b98c2a013df.exe
5800	cc027f345eec8bb836216b98c2a013df.exe
5800	cc027f345eec8bb836216b98c2a013df.exe
5800	cc027f345eec8bb836216b98c2a013df.exe
5800	cc027f345eec8bb836216b98c2a013df.exe
5800	cc027f345eec8bb836216b98c2a013df.exe
3644	RuntimeBroker.exe
5112	RuntimeBroker.exe
4980	RuntimeBroker.exe
5696	RuntimeBroker.exe
5576	RuntimeBroker.exe
6076	RuntimeBroker.exe
6076	RuntimeBroker.exe
3396	RuntimeBroker.exe
3396	RuntimeBroker.exe
468	RuntimeBroker.exe
468	RuntimeBroker.exe
5164	RuntimeBroker.exe
4540	RuntimeBroker.exe
3200	RuntimeBroker.exe
2468	RuntimeBroker.exe
1952	RuntimeBroker.exe
5016	RuntimeBroker.exe
1228	RuntimeBroker.exe
1228	RuntimeBroker.exe
2512	RuntimeBroker.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	5800	cc027f345eec8bb836216b98c2a013df.exe
Token: SeDebugPrivilege	3644	RuntimeBroker.exe
Token: SeDebugPrivilege	5112	RuntimeBroker.exe
Token: SeDebugPrivilege	4980	RuntimeBroker.exe
Token: SeDebugPrivilege	5696	RuntimeBroker.exe
Token: SeDebugPrivilege	5576	RuntimeBroker.exe
Token: SeDebugPrivilege	6076	RuntimeBroker.exe
Token: SeDebugPrivilege	3396	RuntimeBroker.exe
Token: SeDebugPrivilege	468	RuntimeBroker.exe
Token: SeDebugPrivilege	5164	RuntimeBroker.exe
Token: SeDebugPrivilege	4540	RuntimeBroker.exe
Token: SeDebugPrivilege	3200	RuntimeBroker.exe
Token: SeDebugPrivilege	2468	RuntimeBroker.exe
Token: SeDebugPrivilege	1952	RuntimeBroker.exe
Token: SeDebugPrivilege	5016	RuntimeBroker.exe
Token: SeDebugPrivilege	1228	RuntimeBroker.exe
Token: SeDebugPrivilege	2512	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5800 wrote to memory of 2900	5800	cc027f345eec8bb836216b98c2a013df.exe	140
PID 5800 wrote to memory of 2900	5800	cc027f345eec8bb836216b98c2a013df.exe	140
PID 2900 wrote to memory of 2172	2900	cmd.exe	142
PID 2900 wrote to memory of 2172	2900	cmd.exe	142
PID 2900 wrote to memory of 3644	2900	cmd.exe	146
PID 2900 wrote to memory of 3644	2900	cmd.exe	146
PID 3644 wrote to memory of 2300	3644	RuntimeBroker.exe	148
PID 3644 wrote to memory of 2300	3644	RuntimeBroker.exe	148
PID 3644 wrote to memory of 4516	3644	RuntimeBroker.exe	149
PID 3644 wrote to memory of 4516	3644	RuntimeBroker.exe	149
PID 2300 wrote to memory of 5112	2300	WScript.exe	152
PID 2300 wrote to memory of 5112	2300	WScript.exe	152
PID 5112 wrote to memory of 2276	5112	RuntimeBroker.exe	153
PID 5112 wrote to memory of 2276	5112	RuntimeBroker.exe	153
PID 5112 wrote to memory of 1408	5112	RuntimeBroker.exe	154
PID 5112 wrote to memory of 1408	5112	RuntimeBroker.exe	154
PID 2276 wrote to memory of 4980	2276	WScript.exe	155
PID 2276 wrote to memory of 4980	2276	WScript.exe	155
PID 4980 wrote to memory of 2012	4980	RuntimeBroker.exe	156
PID 4980 wrote to memory of 2012	4980	RuntimeBroker.exe	156
PID 4980 wrote to memory of 3648	4980	RuntimeBroker.exe	157
PID 4980 wrote to memory of 3648	4980	RuntimeBroker.exe	157
PID 2012 wrote to memory of 5696	2012	WScript.exe	158
PID 2012 wrote to memory of 5696	2012	WScript.exe	158
PID 5696 wrote to memory of 2692	5696	RuntimeBroker.exe	160
PID 5696 wrote to memory of 2692	5696	RuntimeBroker.exe	160
PID 5696 wrote to memory of 2184	5696	RuntimeBroker.exe	161
PID 5696 wrote to memory of 2184	5696	RuntimeBroker.exe	161
PID 2692 wrote to memory of 5576	2692	WScript.exe	163
PID 2692 wrote to memory of 5576	2692	WScript.exe	163
PID 5576 wrote to memory of 1596	5576	RuntimeBroker.exe	167
PID 5576 wrote to memory of 1596	5576	RuntimeBroker.exe	167
PID 5576 wrote to memory of 3084	5576	RuntimeBroker.exe	168
PID 5576 wrote to memory of 3084	5576	RuntimeBroker.exe	168
PID 1596 wrote to memory of 6076	1596	WScript.exe	172
PID 1596 wrote to memory of 6076	1596	WScript.exe	172
PID 6076 wrote to memory of 5684	6076	RuntimeBroker.exe	173
PID 6076 wrote to memory of 5684	6076	RuntimeBroker.exe	173
PID 6076 wrote to memory of 5648	6076	RuntimeBroker.exe	174
PID 6076 wrote to memory of 5648	6076	RuntimeBroker.exe	174
PID 5684 wrote to memory of 3396	5684	WScript.exe	175
PID 5684 wrote to memory of 3396	5684	WScript.exe	175
PID 3396 wrote to memory of 3276	3396	RuntimeBroker.exe	176
PID 3396 wrote to memory of 3276	3396	RuntimeBroker.exe	176
PID 3396 wrote to memory of 4928	3396	RuntimeBroker.exe	177
PID 3396 wrote to memory of 4928	3396	RuntimeBroker.exe	177
PID 3276 wrote to memory of 468	3276	WScript.exe	178
PID 3276 wrote to memory of 468	3276	WScript.exe	178
PID 468 wrote to memory of 3128	468	RuntimeBroker.exe	179
PID 468 wrote to memory of 3128	468	RuntimeBroker.exe	179
PID 468 wrote to memory of 4552	468	RuntimeBroker.exe	180
PID 468 wrote to memory of 4552	468	RuntimeBroker.exe	180
PID 3128 wrote to memory of 5164	3128	WScript.exe	181
PID 3128 wrote to memory of 5164	3128	WScript.exe	181
PID 5164 wrote to memory of 1752	5164	RuntimeBroker.exe	182
PID 5164 wrote to memory of 1752	5164	RuntimeBroker.exe	182
PID 5164 wrote to memory of 5712	5164	RuntimeBroker.exe	183
PID 5164 wrote to memory of 5712	5164	RuntimeBroker.exe	183
PID 1752 wrote to memory of 4540	1752	WScript.exe	185
PID 1752 wrote to memory of 4540	1752	WScript.exe	185
PID 4540 wrote to memory of 3048	4540	RuntimeBroker.exe	186
PID 4540 wrote to memory of 3048	4540	RuntimeBroker.exe	186
PID 4540 wrote to memory of 4268	4540	RuntimeBroker.exe	187
PID 4540 wrote to memory of 4268	4540	RuntimeBroker.exe	187

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cc027f345eec8bb836216b98c2a013df.exe
"C:\Users\Admin\AppData\Local\Temp\cc027f345eec8bb836216b98c2a013df.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxjA3AGeGT.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2172
- - C:\Users\Default\NetHood\RuntimeBroker.exe
    "C:\Users\Default\NetHood\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\032a8ef3-a53e-4149-a295-95b59c98a233.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5112
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7aac3df-1dd1-4c62-a613-aeb717582155.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1513251-61f2-47d6-8f31-b629535f7644.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37f20bcd-1e80-4bad-a911-c34bf6275149.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\852a9cb6-69b4-4b9c-b55e-be341b815e60.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:6076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1f89319-80b0-4230-be04-815df537e79f.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5684
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4c2fbea-e054-4784-9126-2cffdade9ec2.vbs"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fa09e16-25c0-41c2-af01-2a8b7185b5d3.vbs"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5360a7b-f16d-4b48-b90c-4cce900644cb.vbs"
        20⤵
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a752ba4e-7274-47c4-afd5-1543d3642804.vbs"
        22⤵
        
        PID:3048
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\27247cdc-ed96-46d6-92b8-40a04863694f.vbs"
        24⤵
        
        PID:3492
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\158d49a7-a2a5-4463-81ef-d2f512e009c6.vbs"
        26⤵
        
        PID:4864
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a3e3aab-1165-410b-b46c-7c5b33a3133b.vbs"
        28⤵
        
        PID:3924
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61e730ab-ca5e-4e15-947a-7d9238423603.vbs"
        30⤵
        
        PID:3452
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59fffe14-522d-48c5-9020-7b65d0846918.vbs"
        32⤵
        
        PID:6140
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        
        C:\Users\Default\NetHood\RuntimeBroker.exe
        33⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c619a8c8-d923-4f49-be3d-780da891d28c.vbs"
        32⤵
        
        PID:4464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\254cbb44-d75f-4ae6-a81b-78531dfb3027.vbs"
        30⤵
        
        PID:5608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8b1c2de-5c4d-4b28-857b-a754c5c7e850.vbs"
        28⤵
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\920cf4d0-9b1c-4ae5-998a-cd47f1ffc79a.vbs"
        26⤵
        
        PID:64
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93d63f34-b109-48d1-adba-966de0622a2d.vbs"
        24⤵
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\955fb096-585c-4490-8273-9810eaa65b21.vbs"
        22⤵
        
        PID:4268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3bfe9bea-3b59-4028-a40d-5af1e5a6d64c.vbs"
        20⤵
        
        PID:5712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b80804b6-d7c0-40a0-a21e-b2aa876be6d8.vbs"
        18⤵
        
        PID:4552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ea9b47e-ce03-4628-96f6-fde84508fd46.vbs"
        16⤵
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c66a9342-89b0-4576-94d2-8d05569b6a7c.vbs"
        14⤵
        
        PID:5648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce1f710a-1235-4ed3-aa70-2d997fedf366.vbs"
        12⤵
        
        PID:3084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5883070-0f0a-42cf-b328-288416613107.vbs"
        10⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\270a42b0-a48c-4bbb-984e-dc4fd772e0ad.vbs"
        8⤵
        
        PID:3648
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f13148b1-abeb-48c5-8497-0598ead854ee.vbs"
        6⤵
        
        PID:1408
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd61cf8e-3e1e-4117-8a3d-6c326065bd3a.vbs"
      4⤵
      PID:4516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc027f345eec8bb836216b98c2a013dfc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\cc027f345eec8bb836216b98c2a013df.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc027f345eec8bb836216b98c2a013df" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cc027f345eec8bb836216b98c2a013df.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc027f345eec8bb836216b98c2a013dfc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cc027f345eec8bb836216b98c2a013df.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\de-DE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\de-DE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc027f345eec8bb836216b98c2a013dfc" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\cc027f345eec8bb836216b98c2a013df.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc027f345eec8bb836216b98c2a013df" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\cc027f345eec8bb836216b98c2a013df.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cc027f345eec8bb836216b98c2a013dfc" /sc MINUTE /mo 5 /tr "'C:\4d7dcf6448637544ea7e961be1ad\cc027f345eec8bb836216b98c2a013df.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech_OneCore\Engines\SR\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\SR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech_OneCore\Engines\SR\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\4fc20efa2b2ad5aa4b35f8fcca90f7df\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\4d7dcf6448637544ea7e961be1ad\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\4d7dcf6448637544ea7e961be1ad\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4548_1148497934\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4548_1148497934\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\edge_BITS_4548_1148497934\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\NetHood\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\4d7dcf6448637544ea7e961be1ad\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\CHT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\CHT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office16\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office16\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Office16\RCX783E.tmp

Filesize
885KB

MD5
75f89b5fbd1512e5c0d60418932766dc

SHA1
946027340345c1291d2ddfe1dc338b36fbbb8bb9

SHA256
fd27a6ca7e21643d260b432b2222585d3c71c7b0e4bbd00fea35b3076e972ef3

SHA512
4379293597f1ca12a1bb2e9ae059b2f25335cc8478f5e07cf4daae09ffcbdde253e5194d558f2140d5ee4bd20167a8abb1116d029e7fe7052644f70f600b9d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\032a8ef3-a53e-4149-a295-95b59c98a233.vbs

Filesize
718B

MD5
145cdda56dc8c1d226bb42cfc9caf838

SHA1
d5a8023407993e00079a7428c8a9cfb73dd817d1

SHA256
8c3db0a431f5bc91f78eafae9cba5adea225c976a7d44e06a7324dc6d30a0c52

SHA512
f2c6886f5b2f95b7d8c89133a7417f16355ec114ab2ad6df4f541a745a54a98bc9255835fbe195a33cccfa7dd9cb50858e0c8f0edc67c24504843a39a5437392

Download Submit
C:\Users\Admin\AppData\Local\Temp\158d49a7-a2a5-4463-81ef-d2f512e009c6.vbs

Filesize
718B

MD5
613105be944eac69af5ac5f0626ccb4c

SHA1
b64af368deee147591be695c457fd4763c456d23

SHA256
ce39dc9291c5f8701aaf926ce467017f7530cdac8a918b41391e1eac5ed7395a

SHA512
f59b3f9e678cd40b8679b8eb35d0e696e4f22b52a73fe9a902328afd417de364cf140db75fff40c5a8d6a86300ea0c54d9745473029db897117774e6fcbe862b

Download Submit
C:\Users\Admin\AppData\Local\Temp\27247cdc-ed96-46d6-92b8-40a04863694f.vbs

Filesize
718B

MD5
b0f2cf849d3dfc7dd20458e7c9a66c1b

SHA1
82bf2a02cdbdce37a71aa9df2dfb9930e81fca73

SHA256
6abdb4ddbf481ef70370946f483d6c8c093d92ab8df50b8a0932ca6031e68448

SHA512
6a8e7088250d91c2259c65773473b8296b0360d7e44b92ccd84784ecc3e56a255e900c435200b1aaf96f6d40be313f47b32e37fbd14841b07b2268e32a62f343

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a3e3aab-1165-410b-b46c-7c5b33a3133b.vbs

Filesize
718B

MD5
0be15015d33bbbcc3607c42601bc510d

SHA1
58e8162f38728bb636bb35140ed35420e7a31547

SHA256
dfdedba3bf9d0d8c9af1e90625bfb1f608d61bb84abe3a74829f3b8efff221fe

SHA512
b73b90109707af75e5860d4483445cfa311e06339f14d1fc51fc8b2897f27f86fc8d6907b2fc117d2349b7e1136ca7a3c56db7540583d543d49c9d2f08729a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\37f20bcd-1e80-4bad-a911-c34bf6275149.vbs

Filesize
718B

MD5
2dad5298467cc20552285fb761f0106f

SHA1
4feea456528c22d34161235a59fa09682b3fb8a1

SHA256
20015159d2fd4e01aa8a22bf8a78e183dada1b13d12bd59feef5306ea9bf4891

SHA512
5dc7942afbffa0366e907014801562779b73d8dada9e90ab30b1b03d8298c69cb3afba2bb912170b2152f53cbbbaaa7490160f1421f6fed501ad3b2b8f1010f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa09e16-25c0-41c2-af01-2a8b7185b5d3.vbs

Filesize
717B

MD5
923aa2cf7776c02428476942903d0677

SHA1
1ac64a735ed486e8d372b1742e505ef47cc93a12

SHA256
01841612fd069a389781bfdcd1dbd6a53f3570f4b68e987f920a021a4ba9dad0

SHA512
95f5a10b02d3ab6fbfe889652b2c631ced4081056290b7808fe73bd5d91aebe3da62da9bf03fd71c9f1da550ff30e041367e8248ef856445ffb8a87860896030

Download Submit
C:\Users\Admin\AppData\Local\Temp\59fffe14-522d-48c5-9020-7b65d0846918.vbs

Filesize
718B

MD5
56da3e41ce856c46cb9ffdc68d41637f

SHA1
814e67c989db2897d5d6b0216d3bd5341442c562

SHA256
ef3e56705c7d60cad44f8d2676dae1bd6fe422035fa9a789b095022b592ac7bb

SHA512
3f66459b93f7130f782bc5ac87a9b48741e402a97f29b9180f0aed05e1de33a348f1b1259fda365c721eb3c88e248b2600391624c22f57af2571872e353a5868

Download Submit
C:\Users\Admin\AppData\Local\Temp\61e730ab-ca5e-4e15-947a-7d9238423603.vbs

Filesize
718B

MD5
52815085ba19776cb0cb6a263a8759ff

SHA1
042c65baf8159b946db7bde71ea73027c9c3a88d

SHA256
3e5ace49023e01c56136395a8653a72da0573e61fe4b30bf4d13c95acc3ddfd8

SHA512
029e8c803ca7088b3403cc018ebace7fc9e269f65dd463f13a0745d89e6d64534429ce90c55e503c1676b440afc04dcd49318b4704731006baea30ee4ec94a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\852a9cb6-69b4-4b9c-b55e-be341b815e60.vbs

Filesize
718B

MD5
55b2d5fc2ef14534c8abcfa14f61bc7d

SHA1
f2557d7b6769203730c05a9aa35f17ec4b18abfd

SHA256
442a900c5c1ed56c6abad02a8f789b98ded5b6ed08b016d93ee86e77ba9b62c7

SHA512
719a706d23883b0aeb0929892b494e63874e7222fa30178c0fd60673afa79227572eb2d33f4dfaf82bee26862d86da6bd12883217c93dacf005a925252903b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxjA3AGeGT.bat

Filesize
207B

MD5
42342b94c95550b09b05805c78b38447

SHA1
c439ce17fc6b79b67677f34b1b36ab6ecf33f454

SHA256
e575f39f1b2efb84193854670af2742a02bab4aad40138c9c9c1ed15ce8f77ce

SHA512
c6ee4f8cbf1953b049eee54d909129905bfae85098f8b137ba48ff8a5b152dddefe36591c88c2515a74930b1a1043fe94d23fd67f4411ae7b3ff6734d396e404

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1f89319-80b0-4230-be04-815df537e79f.vbs

Filesize
718B

MD5
2e4e248b8826e1898aa4a3e13901dc52

SHA1
a81ff1097220de207d80ee84047216b48ae881a0

SHA256
3f73275878169a3aa123793abf3ac5b93d6d7b3fbffa5185854a5de076fb7ac6

SHA512
9a1421df8dd454db6cee50abb256b48592b0f683ef7664e270cd39f813bff6ad9a665bef0eb5bc59f56319f41ce0f83e3792179e4467e00d032727d9a77b5855

Download Submit
C:\Users\Admin\AppData\Local\Temp\a752ba4e-7274-47c4-afd5-1543d3642804.vbs

Filesize
718B

MD5
ad2d40f3019a4edeb5d849bbab275133

SHA1
4f0c62160123af5efd487085d5ad2e80a7773eed

SHA256
9e82476bcb488c48b986274df8ccf155f0c2fe04d20df1dccd1552e1e39d44a6

SHA512
8d855f8e5411b1d0aad009f1efbd15851d004a0272461b21f83b520344012d36efef1d5412fba6bdc55ea6a93602ba13b13953e08b25716ad0826d11563dab2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5360a7b-f16d-4b48-b90c-4cce900644cb.vbs

Filesize
718B

MD5
9381fe213ccfe7423e85b7faf0468ca6

SHA1
f2ddef3330a322f9f8b431931dfebb0cc91b1b57

SHA256
6d29023c8eb4b5eab8121d3893cf3e60560ae3e65fa10f77f460336c12e2d6f1

SHA512
542236ef030ac394dd961e03e88b808953ce753760faaa7f0e57f4041f6c162400b9b9bcbe434b6af26dfd8a13b8487ba377b58b241d3831ab0b7bfca99f8bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7aac3df-1dd1-4c62-a613-aeb717582155.vbs

Filesize
718B

MD5
c8901a2972b22568cf11f9cd60c1f41d

SHA1
7a6b3cb786b0014745ddc248781b7a5782488438

SHA256
e45a56d97812e20e096cd23fd5095afcf438dbfece7d4c5f20f01099fd9b302b

SHA512
e03603b02be3393895df07ab2ae5123d2d8b12293b2511ed2bbf6db42098ef0eb349d70c64f71148c190117ceff6a704242f05a4549117b57cd4c0fc5400bdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd61cf8e-3e1e-4117-8a3d-6c326065bd3a.vbs

Filesize
494B

MD5
158b71a5256ad6055f7ba3b07e12c815

SHA1
0d4f95aa3a3aa54f1a3e26a033e6682ed2f271a4

SHA256
245ba7ffd2529a332d91c2019a5e0d35ed688aa528b06bf2043b038200781334

SHA512
5e0a2aa94a5acb972d65bea7324a44fded25bd58eb1837e24b993503a897d11c6d757af6924453675f24e2a7ca668a22487693f0cb879ddbe5489894f3028fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1513251-61f2-47d6-8f31-b629535f7644.vbs

Filesize
718B

MD5
ddae7fb1aee27694da235205ce5dc110

SHA1
82a8114919dd86f920b14eca77baff7ce8e3b2c8

SHA256
3c6a7009ffa8795f344289704f44d6f8bd640fdd726271094583abedb2f52f3b

SHA512
95d5ba8c5506ec99c0558e603560b4e3c42a1563e36e67e14da8aef780b5dc7ac1164d6f5e3e1bba72bddec6d0aed86b190e9a7f3a0cfd06da2e4462683dd344

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4c2fbea-e054-4784-9126-2cffdade9ec2.vbs

Filesize
718B

MD5
3489873dd3f0559eed6a474be778bf0f

SHA1
66461a7a9488daf6e53344b92fdf53541ce14abe

SHA256
3d1ad3091b81672b434d446c4c71f754d8e21f9c0a1805b225149b35b6e42e65

SHA512
544ba0920eefd153016b549dbce781a993096d4d0f9b5c416ae59757acdd6d4c1651ba883e2c9eb0e479fa227055cb5b17da5b916bac00c3b5cbcaa307fc8dc6

Download Submit
C:\Windows\Speech_OneCore\Engines\SR\unsecapp.exe

Filesize
885KB

MD5
cc027f345eec8bb836216b98c2a013df

SHA1
f13c3e0e7c6d7938dfb97fb19a55cc47424b174e

SHA256
00bc028b5d4f9cdadf18888944bf27281bfe3299b051f9e4f20f129f5f45b400

SHA512
4740c0d83f273b50ccfd0a5a1b53a66782d9b811ce323b010a915ca78d6e844ed94b75e57eb8d97b06b1848679fa9ee5abc3b24e97fff8292050c1726449a2b6

Download Submit
memory/5800-0-0x00007FFD36FC3000-0x00007FFD36FC5000-memory.dmp

Filesize
8KB

Download
memory/5800-6-0x0000000002990000-0x00000000029A6000-memory.dmp

Filesize
88KB

Download
memory/5800-7-0x0000000002820000-0x000000000282A000-memory.dmp

Filesize
40KB

Download
memory/5800-244-0x00007FFD36FC0000-0x00007FFD37A81000-memory.dmp

Filesize
10.8MB

Download
memory/5800-8-0x000000001B3D0000-0x000000001B3DE000-memory.dmp

Filesize
56KB

Download
memory/5800-9-0x000000001B3E0000-0x000000001B3E8000-memory.dmp

Filesize
32KB

Download
memory/5800-10-0x000000001B3F0000-0x000000001B3FC000-memory.dmp

Filesize
48KB

Download
memory/5800-3-0x00000000027E0000-0x00000000027FC000-memory.dmp

Filesize
112KB

Download
memory/5800-4-0x000000001B950000-0x000000001B9A0000-memory.dmp

Filesize
320KB

Download
memory/5800-5-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/5800-2-0x00007FFD36FC0000-0x00007FFD37A81000-memory.dmp

Filesize
10.8MB

Download
memory/5800-1-0x0000000000690000-0x0000000000774000-memory.dmp

Filesize
912KB

Download