44caliber | a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96

Analysis

max time kernel
95s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Project 1.exe
Size

4.9MB
MD5

eace0ed3521967a36f02f3408a76689d
SHA1

54210340f93b45b7bd0eff93da29151a5e846174
SHA256

a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96
SHA512

9646a69340e263150fc05519576fdc4d07ef51cf05f974dfd4f94b866e896255ee469207b6181b976d253a2497a753439c1ec639897dbe7c0fb89674eaba6448
SSDEEP

98304:w409oEFvy98NF/4uhbfc7DdGnTYrhMiAV4i2BWWH:i/FayNFQKU7qstyKnJ

Score

10^/10

44caliber persistence spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1237112288494747648/RwLhzmD0ehxDiBdZsbgoSXVKoOkldpfaRP7ikjkQV9Ya8EVVXay-1UF3yarrrtlSnrpv

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\regid.1967-07.com.microsoft\\DogDAppxLogso.exe"	extreme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe"	extreme.exe

Downloads MZ/PE file
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	New Project 1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	extreme injector.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	extreme.exe

Executes dropped EXE 4 IoCs

pid	Process
4128	extreme.exe
3320	extreme injector.exe
3664	Extreme Injector v3.exe
4940	Insidious.exe

Loads dropped DLL 20 IoCs

pid	Process
972	Process not Found
4332	Process not Found
2872	Process not Found
1952	Process not Found
1916	WmiApSrv.exe
1392	Process not Found
4796	Process not Found
4604	Process not Found
3628	Process not Found
2312	Process not Found
2040	Process not Found
1160	Process not Found
2184	Process not Found
2984	Process not Found
3916	Process not Found
4328	Process not Found
3300	Process not Found
2184	Process not Found
808	Process not Found
4268	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\\swapdrives.exe"	extreme.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com
38	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	freegeoip.app
35	freegeoip.app

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe	extreme.exe
File opened for modification	C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe	extreme.exe
File opened for modification	C:\Windows\regid.1967-07.com.microsoft	extreme.exe
File created	C:\Windows\xdwd.dll	extreme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe

Creates scheduled task(s) 1 TTPs 19 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
700	schtasks.exe
1108	schtasks.exe
3468	schtasks.exe
2016	schtasks.exe
4860	schtasks.exe
3856	schtasks.exe
2708	schtasks.exe
3136	schtasks.exe
3156	schtasks.exe
4984	schtasks.exe
3044	schtasks.exe
4492	schtasks.exe
2924	schtasks.exe
4208	schtasks.exe
1904	schtasks.exe
2176	schtasks.exe
3660	schtasks.exe
1412	schtasks.exe
3772	schtasks.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2108	timeout.exe
2584	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
4908	taskkill.exe
3048	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	extreme injector.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{3155DC3B-0B61-4174-AB60-D5A3450FE70A}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{101CB70E-AD54-4E5C-967F-74C1B6CA3B84}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{8CF50016-D23B-4615-B1B3-68B96D719B56}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\MuiCache	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4940	Insidious.exe
4940	Insidious.exe
4940	Insidious.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe
4128	extreme.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4128	extreme.exe
Token: SeDebugPrivilege	4940	Insidious.exe
Token: SeDebugPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: SeDebugPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe
Token: 33	3664	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	3664	Extreme Injector v3.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
2804	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
3580	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4488	explorer.exe
4284	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3888	StartMenuExperienceHost.exe
2288	StartMenuExperienceHost.exe
2632	SearchApp.exe
4480	StartMenuExperienceHost.exe
2068	SearchApp.exe
3656	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4128	4544	New Project 1.exe	86
PID 4544 wrote to memory of 4128	4544	New Project 1.exe	86
PID 4544 wrote to memory of 3320	4544	New Project 1.exe	87
PID 4544 wrote to memory of 3320	4544	New Project 1.exe	87
PID 4544 wrote to memory of 3320	4544	New Project 1.exe	87
PID 3320 wrote to memory of 3664	3320	extreme injector.exe	91
PID 3320 wrote to memory of 3664	3320	extreme injector.exe	91
PID 3320 wrote to memory of 4940	3320	extreme injector.exe	92
PID 3320 wrote to memory of 4940	3320	extreme injector.exe	92
PID 4128 wrote to memory of 1728	4128	extreme.exe	103
PID 4128 wrote to memory of 1728	4128	extreme.exe	103
PID 1728 wrote to memory of 3044	1728	CMD.exe	105
PID 1728 wrote to memory of 3044	1728	CMD.exe	105
PID 4128 wrote to memory of 228	4128	extreme.exe	106
PID 4128 wrote to memory of 228	4128	extreme.exe	106
PID 228 wrote to memory of 4492	228	CMD.exe	108
PID 228 wrote to memory of 4492	228	CMD.exe	108
PID 4128 wrote to memory of 3888	4128	extreme.exe	109
PID 4128 wrote to memory of 3888	4128	extreme.exe	109
PID 3888 wrote to memory of 2924	3888	CMD.exe	111
PID 3888 wrote to memory of 2924	3888	CMD.exe	111
PID 4128 wrote to memory of 3524	4128	extreme.exe	112
PID 4128 wrote to memory of 3524	4128	extreme.exe	112
PID 3524 wrote to memory of 700	3524	CMD.exe	114
PID 3524 wrote to memory of 700	3524	CMD.exe	114
PID 4128 wrote to memory of 1564	4128	extreme.exe	116
PID 4128 wrote to memory of 1564	4128	extreme.exe	116
PID 1564 wrote to memory of 4860	1564	CMD.exe	118
PID 1564 wrote to memory of 4860	1564	CMD.exe	118
PID 4128 wrote to memory of 2064	4128	extreme.exe	121
PID 4128 wrote to memory of 2064	4128	extreme.exe	121
PID 2064 wrote to memory of 3856	2064	CMD.exe	123
PID 2064 wrote to memory of 3856	2064	CMD.exe	123
PID 4128 wrote to memory of 4536	4128	extreme.exe	124
PID 4128 wrote to memory of 4536	4128	extreme.exe	124
PID 4536 wrote to memory of 2176	4536	CMD.exe	126
PID 4536 wrote to memory of 2176	4536	CMD.exe	126
PID 4128 wrote to memory of 1412	4128	extreme.exe	128
PID 4128 wrote to memory of 1412	4128	extreme.exe	128
PID 1412 wrote to memory of 1108	1412	CMD.exe	130
PID 1412 wrote to memory of 1108	1412	CMD.exe	130
PID 4128 wrote to memory of 3792	4128	extreme.exe	131
PID 4128 wrote to memory of 3792	4128	extreme.exe	131
PID 3792 wrote to memory of 4208	3792	CMD.exe	133
PID 3792 wrote to memory of 4208	3792	CMD.exe	133
PID 4128 wrote to memory of 2064	4128	extreme.exe	135
PID 4128 wrote to memory of 2064	4128	extreme.exe	135
PID 2064 wrote to memory of 1904	2064	CMD.exe	137
PID 2064 wrote to memory of 1904	2064	CMD.exe	137
PID 4128 wrote to memory of 4320	4128	extreme.exe	138
PID 4128 wrote to memory of 4320	4128	extreme.exe	138
PID 4320 wrote to memory of 3660	4320	CMD.exe	140
PID 4320 wrote to memory of 3660	4320	CMD.exe	140
PID 4128 wrote to memory of 3832	4128	extreme.exe	141
PID 4128 wrote to memory of 3832	4128	extreme.exe	141
PID 3832 wrote to memory of 1412	3832	CMD.exe	143
PID 3832 wrote to memory of 1412	3832	CMD.exe	143
PID 4128 wrote to memory of 1748	4128	extreme.exe	144
PID 4128 wrote to memory of 1748	4128	extreme.exe	144
PID 1748 wrote to memory of 2708	1748	CMD.exe	146
PID 1748 wrote to memory of 2708	1748	CMD.exe	146
PID 4128 wrote to memory of 1604	4128	extreme.exe	147
PID 4128 wrote to memory of 1604	4128	extreme.exe	147
PID 1604 wrote to memory of 3156	1604	CMD.exe	149

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\New Project 1.exe
"C:\Users\Admin\AppData\Local\Temp\New Project 1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4544
- C:\ProgramData\extreme.exe
  "C:\ProgramData\extreme.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4128
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe"
      4⤵
      Creates scheduled task(s)
      PID:3044
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:228
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4492
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Svchost" /tr "C:\Users\Admin\AppData\Local\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\swapdrives.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "Svchost" /tr "C:\Users\Admin\AppData\Local\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\swapdrives.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2924
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:700
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4860
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3856
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2176
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1412
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1108
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4208
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2064
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1904
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3660
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1412
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2708
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3156
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:3620
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3772
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:3660
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4984
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:2108
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3468
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:2312
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2016
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:1604
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3136
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "AssemblyBroker" & exit
    3⤵
    PID:2272
  - - C:\Windows\system32\schtasks.exe
      schtASks /deLeTe /F /Tn "AssemblyBroker"
      4⤵
      PID:4480
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C taskkill /im explorer.exe /f
    3⤵
    PID:1732
  - - C:\Windows\system32\taskkill.exe
      taskkill /im explorer.exe /f
      4⤵
      Kills process with taskkill
      PID:4908
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtASks /deLeTe /F /Tn "Svchost" & exit
    3⤵
    PID:408
  - - C:\Windows\system32\schtasks.exe
      schtASks /deLeTe /F /Tn "Svchost"
      4⤵
      PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp53E7.tmp.bat""
    3⤵
    PID:3200
  - - C:\Windows\system32\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:2108
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      Modifies Installed Components in the registry
      Enumerates connected drives
      Checks SCSI registry key(s)
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2804
  - - C:\Windows\system32\taskkill.exe
      taskkill /im DogDAppxLogso.exe /f
      4⤵
      Kills process with taskkill
      PID:3048
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2584
- C:\Users\Admin\AppData\Local\Temp\extreme injector.exe
  "C:\Users\Admin\AppData\Local\Temp\extreme injector.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
    "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4940

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Loads dropped DLL
PID:1916

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:3888

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2288

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4488

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4480

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2068

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SendNotifyMessage
PID:4284

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3656

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies registry class
PID:3144

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4168

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1948

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4644

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4436

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4384

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3040

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4704

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:808

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1336

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2420

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3936

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:2708

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4016

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3428

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4004

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3452

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2588

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1812

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4084

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4268

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4612

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4544

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3996

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3132

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3660

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1056

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:2300

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:996

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\extreme.exe

Filesize
610KB

MD5
fc171c6dc3d5569ff7edd101a5e3b595

SHA1
ee7a10dcf4337812a07525b3158deca522d25f54

SHA256
2d267d4437ddd0caa02357b90606f4db625940e77029d898576c8e0f9f4e7a9b

SHA512
c01f725c290145982de52047d1c30148c15a41b146c7b6bf420d2f841da9fd413107edd0eac25ba836e83de1124768248fb2243860004b9e1bfe7a60d0d254c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
471B

MD5
45654e26b54abaef678dbdb46a9eb535

SHA1
a23cc33fe546ee53bdb07589548d84c2101d6ab0

SHA256
329924597f143dd23c32377fbcbde16a057c28500ff47149dfc4768df5853030

SHA512
313a7c6066b6be2cad54272cab1931fdf6f42b68c3ee78fd06eb4f4574df788a2e9892be74bed3f6198aab652fa3dcf36ccfff9f777d62d3c1d51acd0cff7f9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

Filesize
412B

MD5
2e5ce8ffdc3d7902f3d94f9b6c78033d

SHA1
cb8b1efd1aea78cb24a28e7f6fec42cdbd4d603a

SHA256
1de178ba091095b8660ee96e289ed84ca1c26413d289e3f4cb64085c478f010c

SHA512
fb7f4a254ac3013a5f396826df9030ea0c2e171073ab197e0dc8b139bcc128741eac01ca6c94d58dc3ddf7d20128b9653d63609b7faea7c8c0f1a05adc9161bb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres

Filesize
2KB

MD5
08f6ecf287852084c55be983c95d2e74

SHA1
3bd5b10be525af1f1b001e36bbfc5434e461551a

SHA256
c5664db08032622154f5c9c1f1146cbb59303031ef487d4fc39c4db943104ed4

SHA512
397b1c443e36c355f198e0818957f55eabd93adbcc0deef6e9a8cc3039f7cb5416a178c5464b4c063de3aad9dc362e58d60449caf4689f6e432d2004ac72a162

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133608581040921214.txt

Filesize
75KB

MD5
79ea60e4feeffe4483ba2d0ea61852fb

SHA1
7d5921a1b6240cc717ad4f4478bbcfc42f3af8e8

SHA256
1e85f6cd486b20682b1a6af9f34e7993a558f3b5dccd1e80a55178847e794923

SHA512
4d0866c2b63af9570fa20bca628a6e67b3704d7ab5a8a1311fb614f38b54444cc6630390092282f075751cae38000a17e4bf1cb992a8900b0c72965c0b24dbf4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\6KUWUA35\microsoft.windows[1].xml

Filesize
97B

MD5
689df38489ed790b0068b7f3cae1d440

SHA1
6df6ffaae31903b96024a7b81f25f1ed61c3f152

SHA256
fc336b0ef0f4f06ea66d92f25dd66dd1b0d697da62b5073ed5199fffac8a08aa

SHA512
1f26ccb99ee3babc3617eb635a75f02d34be865c200a866eb28024ad0d8ccbe4110b0dd1a3d2ab14fd84b2eb345fed8bb65a19437ff99c1b2d84e2b3ce9acbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
281KB

MD5
b3cc053a740c79d2844a542e951b3335

SHA1
44fa83e0bfd8c7761ba8fbe0f687a53a062d89a0

SHA256
278704c25e1f4fb26e09a663ea2e0762510d02837ced1771d72c0240e3f9b993

SHA512
b7ffb66a9b7fa366dfc4b12978ad8d3555859ff526d8d1f8f9557ff22cf0cdf44369796722b22f0da28c79850f3cb16b3e9c49c8db2f8ab64e66661322f46cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\extreme injector.exe

Filesize
3.3MB

MD5
2ffea9e69ec40e9f4337787a953e02f1

SHA1
5d2df0bec27c916a95b39d90f2c4cbfe485a4e29

SHA256
a0c52d8be54a2437a28412f63fd7bb700b15b10a6cf8640630fd35ed6bf68204

SHA512
6ecd979f26ef0095825dfe40123129a973dd2daccfa2e04eb0b71e8615d2abf439b134200abdec4794216d237b12c961520eb11f76277660807a859a919e1698

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings.xml

Filesize
2KB

MD5
0df87974930ba183b4b1ee32cea01010

SHA1
66b76ac4e09813db754363caae3d4a7f3ffb2ca5

SHA256
4f31d7d4d724c62aaf984f011297099c00187e8394d3c85e7a1e1b3585a261bf

SHA512
01e07ffccec7bd55f8ae092247f70bf5bc960fcbb5facfd08ffeaaf6de97e0897feb135cb4b5424042c45afc8e0ea9ecdbfe18851e3d739e469bff913ea740ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp53E7.tmp.bat

Filesize
242B

MD5
aaea8999d8414b23876134eb8474602b

SHA1
9f315f48723b6b415b4882badeaf3eee660522a2

SHA256
36ad0c8d60cb1ca3f0e524fb082c26d96ac1cad0fc29cc0fd3c5f6330908d964

SHA512
678df7e285026e5334592f3718866834751f2480d453cc03163df5c7380f0b81f718baa873df89b9fc7abbc25aadb7754b8dfe11b93ddcab16fbc77378279eb5

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/808-1420-0x000001D6A7590000-0x000001D6A75B0000-memory.dmp

Filesize
128KB

Download
memory/808-1415-0x000001D6A6440000-0x000001D6A6540000-memory.dmp

Filesize
1024KB

Download
memory/808-1416-0x000001D6A6440000-0x000001D6A6540000-memory.dmp

Filesize
1024KB

Download
memory/808-1443-0x000001D6A7960000-0x000001D6A7980000-memory.dmp

Filesize
128KB

Download
memory/808-1430-0x000001D6A7550000-0x000001D6A7570000-memory.dmp

Filesize
128KB

Download
memory/1336-1552-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1812-2000-0x00000000047A0000-0x00000000047A1000-memory.dmp

Filesize
4KB

Download
memory/1924-2138-0x0000000002F20000-0x0000000002F21000-memory.dmp

Filesize
4KB

Download
memory/1948-1156-0x0000023FA93F0000-0x0000023FA9410000-memory.dmp

Filesize
128KB

Download
memory/1948-1145-0x0000023FA8DE0000-0x0000023FA8E00000-memory.dmp

Filesize
128KB

Download
memory/1948-1134-0x0000023FA9020000-0x0000023FA9040000-memory.dmp

Filesize
128KB

Download
memory/2068-996-0x00000273C0FD0000-0x00000273C0FF0000-memory.dmp

Filesize
128KB

Download
memory/2068-1009-0x00000273C15E0000-0x00000273C1600000-memory.dmp

Filesize
128KB

Download
memory/2068-982-0x00000273C1220000-0x00000273C1240000-memory.dmp

Filesize
128KB

Download
memory/2588-1880-0x000001F6DBF90000-0x000001F6DBFB0000-memory.dmp

Filesize
128KB

Download
memory/2588-1858-0x000001F6DBBC0000-0x000001F6DBBE0000-memory.dmp

Filesize
128KB

Download
memory/2588-1867-0x000001F6DBB80000-0x000001F6DBBA0000-memory.dmp

Filesize
128KB

Download
memory/2588-1853-0x000001F6DAB00000-0x000001F6DAC00000-memory.dmp

Filesize
1024KB

Download
memory/2632-854-0x000001EA8FB40000-0x000001EA8FB60000-memory.dmp

Filesize
128KB

Download
memory/2632-855-0x000001EA8FF50000-0x000001EA8FF70000-memory.dmp

Filesize
128KB

Download
memory/2632-824-0x000001EA8FB80000-0x000001EA8FBA0000-memory.dmp

Filesize
128KB

Download
memory/2632-820-0x000001EA8EA20000-0x000001EA8EB20000-memory.dmp

Filesize
1024KB

Download
memory/2632-819-0x000001EA8EA20000-0x000001EA8EB20000-memory.dmp

Filesize
1024KB

Download
memory/2708-1703-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/3040-1413-0x0000000004150000-0x0000000004151000-memory.dmp

Filesize
4KB

Download
memory/3320-87-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download
memory/3428-1719-0x000001C341460000-0x000001C341480000-memory.dmp

Filesize
128KB

Download
memory/3428-1731-0x000001C341A80000-0x000001C341AA0000-memory.dmp

Filesize
128KB

Download
memory/3428-1711-0x000001C3414A0000-0x000001C3414C0000-memory.dmp

Filesize
128KB

Download
memory/3580-818-0x0000000003010000-0x0000000003011000-memory.dmp

Filesize
4KB

Download
memory/3664-240-0x000000001C860000-0x000000001C89C000-memory.dmp

Filesize
240KB

Download
memory/3664-239-0x000000001BAC0000-0x000000001BAD2000-memory.dmp

Filesize
72KB

Download
memory/3664-197-0x0000000000AA0000-0x0000000000C86000-memory.dmp

Filesize
1.9MB

Download
memory/3936-1556-0x000002EADDB70000-0x000002EADDC70000-memory.dmp

Filesize
1024KB

Download
memory/3936-1571-0x000002EADEA90000-0x000002EADEAB0000-memory.dmp

Filesize
128KB

Download
memory/3936-1582-0x000002EADF0A0000-0x000002EADF0C0000-memory.dmp

Filesize
128KB

Download
memory/3936-1554-0x000002EADDB70000-0x000002EADDC70000-memory.dmp

Filesize
1024KB

Download
memory/3936-1559-0x000002EADEAD0000-0x000002EADEAF0000-memory.dmp

Filesize
128KB

Download
memory/4004-1852-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/4128-370-0x000000001C1D0000-0x000000001C246000-memory.dmp

Filesize
472KB

Download
memory/4128-374-0x0000000002690000-0x000000000269C000-memory.dmp

Filesize
48KB

Download
memory/4128-378-0x000000001BF10000-0x000000001BF2E000-memory.dmp

Filesize
120KB

Download
memory/4128-380-0x00007FFCA7FD3000-0x00007FFCA7FD5000-memory.dmp

Filesize
8KB

Download
memory/4128-77-0x0000000000610000-0x00000000006AC000-memory.dmp

Filesize
624KB

Download
memory/4128-80-0x00007FFCA7FD3000-0x00007FFCA7FD5000-memory.dmp

Filesize
8KB

Download
memory/4168-1126-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/4268-2006-0x000001D457340000-0x000001D457360000-memory.dmp

Filesize
128KB

Download
memory/4268-2001-0x000001D456200000-0x000001D456300000-memory.dmp

Filesize
1024KB

Download
memory/4268-2019-0x000001D457300000-0x000001D457320000-memory.dmp

Filesize
128KB

Download
memory/4268-2030-0x000001D457710000-0x000001D457730000-memory.dmp

Filesize
128KB

Download
memory/4268-2003-0x000001D456200000-0x000001D456300000-memory.dmp

Filesize
1024KB

Download
memory/4284-1124-0x0000000004360000-0x0000000004361000-memory.dmp

Filesize
4KB

Download
memory/4384-1299-0x000001D0A3230000-0x000001D0A3250000-memory.dmp

Filesize
128KB

Download
memory/4384-1270-0x000001D0A1D00000-0x000001D0A1E00000-memory.dmp

Filesize
1024KB

Download
memory/4384-1275-0x000001D0A2E60000-0x000001D0A2E80000-memory.dmp

Filesize
128KB

Download
memory/4384-1271-0x000001D0A1D00000-0x000001D0A1E00000-memory.dmp

Filesize
1024KB

Download
memory/4384-1287-0x000001D0A2E20000-0x000001D0A2E40000-memory.dmp

Filesize
128KB

Download
memory/4488-976-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4544-0-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/4544-2140-0x000001FB3A560000-0x000001FB3A660000-memory.dmp

Filesize
1024KB

Download
memory/4544-2144-0x000001FB3B4C0000-0x000001FB3B4E0000-memory.dmp

Filesize
128KB

Download
memory/4644-1268-0x0000000004530000-0x0000000004531000-memory.dmp

Filesize
4KB

Download
memory/4940-208-0x0000018FA9B10000-0x0000018FA9B5C000-memory.dmp

Filesize
304KB

Download