44caliber | a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NewProject1.exe
Size

4.9MB
MD5

eace0ed3521967a36f02f3408a76689d
SHA1

54210340f93b45b7bd0eff93da29151a5e846174
SHA256

a2d773d335de672b8b525f26483081ef86bdfbb524afdf3dab5922e66d864e96
SHA512

9646a69340e263150fc05519576fdc4d07ef51cf05f974dfd4f94b866e896255ee469207b6181b976d253a2497a753439c1ec639897dbe7c0fb89674eaba6448
SSDEEP

98304:w409oEFvy98NF/4uhbfc7DdGnTYrhMiAV4i2BWWH:i/FayNFQKU7qstyKnJ

Score

10^/10

44caliber persistence spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1237112288494747648/RwLhzmD0ehxDiBdZsbgoSXVKoOkldpfaRP7ikjkQV9Ya8EVVXay-1UF3yarrrtlSnrpv

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\regid.1967-07.com.microsoft\\DogDAppxLogso.exe"	extreme.exe

Downloads MZ/PE file
Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	NewProject1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	extreme injector.exe

Executes dropped EXE 4 IoCs

pid	Process
2076	extreme.exe
3024	extreme injector.exe
2052	Extreme Injector v3.exe
2376	Insidious.exe

Loads dropped DLL 41 IoCs

pid	Process
2888	Process not Found
1880	Process not Found
1052	Process not Found
2952	Process not Found
840	Process not Found
3212	Process not Found
2272	Process not Found
3588	Process not Found
1132	Process not Found
2856	Process not Found
2776	Process not Found
1236	Process not Found
4056	Process not Found
2856	Process not Found
4696	Process not Found
1688	Process not Found
4652	Process not Found
2420	Process not Found
1012	Process not Found
2556	Process not Found
3132	Process not Found
3320	Process not Found
2156	Process not Found
1204	Process not Found
4168	Process not Found
3692	Process not Found
4308	Process not Found
1900	Process not Found
2996	Process not Found
1064	Process not Found
2628	Process not Found
3984	Process not Found
4120	Process not Found
452	Process not Found
1064	Process not Found
4404	Process not Found
2272	Process not Found
3484	Process not Found
1224	Process not Found
3664	Process not Found
2380	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Local\\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\\swapdrives.exe"	extreme.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
38	raw.githubusercontent.com
19	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	freegeoip.app
36	freegeoip.app

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe	extreme.exe
File opened for modification	C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe	extreme.exe
File opened for modification	C:\Windows\regid.1967-07.com.microsoft	extreme.exe
File created	C:\Windows\xdwd.dll	extreme.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 43 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5032	schtasks.exe
4364	schtasks.exe
1304	schtasks.exe
4720	schtasks.exe
3240	schtasks.exe
1476	schtasks.exe
4452	schtasks.exe
2856	schtasks.exe
5044	schtasks.exe
684	schtasks.exe
2836	schtasks.exe
3932	schtasks.exe
1628	schtasks.exe
2020	schtasks.exe
2956	schtasks.exe
2128	schtasks.exe
864	schtasks.exe
1236	schtasks.exe
3136	schtasks.exe
1844	schtasks.exe
2840	schtasks.exe
3852	schtasks.exe
380	schtasks.exe
1100	schtasks.exe
2376	schtasks.exe
3952	schtasks.exe
1620	schtasks.exe
5088	schtasks.exe
2168	schtasks.exe
424	schtasks.exe
4636	schtasks.exe
1568	schtasks.exe
3300	schtasks.exe
2452	schtasks.exe
4656	schtasks.exe
2988	schtasks.exe
2836	schtasks.exe
5056	schtasks.exe
3680	schtasks.exe
4560	schtasks.exe
1060	schtasks.exe
2500	schtasks.exe
1072	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	NewProject1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	extreme injector.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	Insidious.exe
2376	Insidious.exe
2376	Insidious.exe
2376	Insidious.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe
2076	extreme.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2076	extreme.exe
Token: SeDebugPrivilege	2376	Insidious.exe
Token: SeDebugPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: SeDebugPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe
Token: 33	2052	Extreme Injector v3.exe
Token: SeIncBasePriorityPrivilege	2052	Extreme Injector v3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 2076	1472	NewProject1.exe	95
PID 1472 wrote to memory of 2076	1472	NewProject1.exe	95
PID 1472 wrote to memory of 3024	1472	NewProject1.exe	96
PID 1472 wrote to memory of 3024	1472	NewProject1.exe	96
PID 1472 wrote to memory of 3024	1472	NewProject1.exe	96
PID 3024 wrote to memory of 2052	3024	extreme injector.exe	100
PID 3024 wrote to memory of 2052	3024	extreme injector.exe	100
PID 3024 wrote to memory of 2376	3024	extreme injector.exe	101
PID 3024 wrote to memory of 2376	3024	extreme injector.exe	101
PID 2076 wrote to memory of 764	2076	extreme.exe	113
PID 2076 wrote to memory of 764	2076	extreme.exe	113
PID 764 wrote to memory of 2376	764	CMD.exe	115
PID 764 wrote to memory of 2376	764	CMD.exe	115
PID 2076 wrote to memory of 1732	2076	extreme.exe	116
PID 2076 wrote to memory of 1732	2076	extreme.exe	116
PID 1732 wrote to memory of 4636	1732	CMD.exe	118
PID 1732 wrote to memory of 4636	1732	CMD.exe	118
PID 2076 wrote to memory of 1116	2076	extreme.exe	119
PID 2076 wrote to memory of 1116	2076	extreme.exe	119
PID 1116 wrote to memory of 1236	1116	CMD.exe	121
PID 1116 wrote to memory of 1236	1116	CMD.exe	121
PID 2076 wrote to memory of 4564	2076	extreme.exe	122
PID 2076 wrote to memory of 4564	2076	extreme.exe	122
PID 4564 wrote to memory of 2452	4564	CMD.exe	124
PID 4564 wrote to memory of 2452	4564	CMD.exe	124
PID 2076 wrote to memory of 5020	2076	extreme.exe	125
PID 2076 wrote to memory of 5020	2076	extreme.exe	125
PID 5020 wrote to memory of 4720	5020	CMD.exe	127
PID 5020 wrote to memory of 4720	5020	CMD.exe	127
PID 2076 wrote to memory of 4056	2076	extreme.exe	128
PID 2076 wrote to memory of 4056	2076	extreme.exe	128
PID 4056 wrote to memory of 2500	4056	CMD.exe	130
PID 4056 wrote to memory of 2500	4056	CMD.exe	130
PID 2076 wrote to memory of 4164	2076	extreme.exe	131
PID 2076 wrote to memory of 4164	2076	extreme.exe	131
PID 4164 wrote to memory of 3932	4164	CMD.exe	133
PID 4164 wrote to memory of 3932	4164	CMD.exe	133
PID 2076 wrote to memory of 1384	2076	extreme.exe	135
PID 2076 wrote to memory of 1384	2076	extreme.exe	135
PID 1384 wrote to memory of 1628	1384	CMD.exe	137
PID 1384 wrote to memory of 1628	1384	CMD.exe	137
PID 2076 wrote to memory of 4404	2076	extreme.exe	138
PID 2076 wrote to memory of 4404	2076	extreme.exe	138
PID 4404 wrote to memory of 3240	4404	CMD.exe	140
PID 4404 wrote to memory of 3240	4404	CMD.exe	140
PID 2076 wrote to memory of 1360	2076	extreme.exe	142
PID 2076 wrote to memory of 1360	2076	extreme.exe	142
PID 1360 wrote to memory of 3952	1360	CMD.exe	144
PID 1360 wrote to memory of 3952	1360	CMD.exe	144
PID 2076 wrote to memory of 4224	2076	extreme.exe	145
PID 2076 wrote to memory of 4224	2076	extreme.exe	145
PID 4224 wrote to memory of 1476	4224	CMD.exe	147
PID 4224 wrote to memory of 1476	4224	CMD.exe	147
PID 2076 wrote to memory of 2280	2076	extreme.exe	148
PID 2076 wrote to memory of 2280	2076	extreme.exe	148
PID 2280 wrote to memory of 1844	2280	CMD.exe	150
PID 2280 wrote to memory of 1844	2280	CMD.exe	150
PID 2076 wrote to memory of 4356	2076	extreme.exe	151
PID 2076 wrote to memory of 4356	2076	extreme.exe	151
PID 4356 wrote to memory of 4656	4356	CMD.exe	153
PID 4356 wrote to memory of 4656	4356	CMD.exe	153
PID 2076 wrote to memory of 4532	2076	extreme.exe	154
PID 2076 wrote to memory of 4532	2076	extreme.exe	154
PID 4532 wrote to memory of 1072	4532	CMD.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NewProject1.exe
"C:\Users\Admin\AppData\Local\Temp\NewProject1.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472
- C:\ProgramData\extreme.exe
  "C:\ProgramData\extreme.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "AssemblyBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe"
      4⤵
      Creates scheduled task(s)
      PID:2376
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1732
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4636
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Svchost" /tr "C:\Users\Admin\AppData\Local\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\swapdrives.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo 5 /tn "Svchost" /tr "C:\Users\Admin\AppData\Local\amd64_microsoft-windows-f..client-applications_31bf3856ad364e35_10.0.19041.3636_none_ed91412UI917\swapdrives.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1236
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2452
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4720
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4056
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2500
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3932
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1628
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3240
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3952
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1476
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1844
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4656
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1072
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:640
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2840
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:2280
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1568
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:2776
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3852
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:3580
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4452
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:4564
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2856
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:424
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3300
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:2724
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5044
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:4168
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4364
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:4476
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2988
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:372
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2836
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:2756
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3136
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:5044
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5056
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:752
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2020
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:4512
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1620
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:2500
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:3680
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:2708
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1304
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:3112
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:4560
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:2776
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2956
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:2388
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:380
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:3356
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5032
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:1044
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:684
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:3812
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5088
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:1612
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2168
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:1476
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1060
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:740
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2836
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:4720
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2128
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:1360
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:864
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:3680
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:424
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST & exit
    3⤵
    PID:1072
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /create /f /sc minute /mo -1 /tn "RuntimeBroker" /tr "C:\Windows\regid.1967-07.com.microsoft\DogDAppxLogso.exe" /RL HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:1100
- C:\Users\Admin\AppData\Local\Temp\extreme injector.exe
  "C:\Users\Admin\AppData\Local\Temp\extreme injector.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
    "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2052
- - C:\Users\Admin\AppData\Local\Temp\Insidious.exe
    "C:\Users\Admin\AppData\Local\Temp\Insidious.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3772,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
1⤵
PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\extreme.exe

Filesize
610KB

MD5
fc171c6dc3d5569ff7edd101a5e3b595

SHA1
ee7a10dcf4337812a07525b3158deca522d25f54

SHA256
2d267d4437ddd0caa02357b90606f4db625940e77029d898576c8e0f9f4e7a9b

SHA512
c01f725c290145982de52047d1c30148c15a41b146c7b6bf420d2f841da9fd413107edd0eac25ba836e83de1124768248fb2243860004b9e1bfe7a60d0d254c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe

Filesize
1.9MB

MD5
ec801a7d4b72a288ec6c207bb9ff0131

SHA1
32eec2ae1f9e201516fa7fcdc16c4928f7997561

SHA256
b65f40618f584303ca0bcf9b5f88c233cc4237699c0c4bf40ba8facbe8195a46

SHA512
a07dd5e8241de73ce65ff8d74acef4942b85fc45cf6a7baafd3c0f9d330b08e7412f2023ba667e99b40e732a65e8fb4389f7fe73c7b6256ca71e63afe46cdcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Insidious.exe

Filesize
281KB

MD5
b3cc053a740c79d2844a542e951b3335

SHA1
44fa83e0bfd8c7761ba8fbe0f687a53a062d89a0

SHA256
278704c25e1f4fb26e09a663ea2e0762510d02837ced1771d72c0240e3f9b993

SHA512
b7ffb66a9b7fa366dfc4b12978ad8d3555859ff526d8d1f8f9557ff22cf0cdf44369796722b22f0da28c79850f3cb16b3e9c49c8db2f8ab64e66661322f46cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\extreme injector.exe

Filesize
3.3MB

MD5
2ffea9e69ec40e9f4337787a953e02f1

SHA1
5d2df0bec27c916a95b39d90f2c4cbfe485a4e29

SHA256
a0c52d8be54a2437a28412f63fd7bb700b15b10a6cf8640630fd35ed6bf68204

SHA512
6ecd979f26ef0095825dfe40123129a973dd2daccfa2e04eb0b71e8615d2abf439b134200abdec4794216d237b12c961520eb11f76277660807a859a919e1698

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/1472-0-0x0000000000400000-0x00000000008E6000-memory.dmp

Filesize
4.9MB

Download
memory/2052-236-0x000000001C150000-0x000000001C18C000-memory.dmp

Filesize
240KB

Download
memory/2052-235-0x000000001BED0000-0x000000001BEE2000-memory.dmp

Filesize
72KB

Download
memory/2052-196-0x00000000000D0000-0x00000000002B6000-memory.dmp

Filesize
1.9MB

Download
memory/2076-77-0x0000000000F90000-0x000000000102C000-memory.dmp

Filesize
624KB

Download
memory/2076-80-0x00007FFC049D3000-0x00007FFC049D5000-memory.dmp

Filesize
8KB

Download
memory/2076-369-0x00007FFC049D3000-0x00007FFC049D5000-memory.dmp

Filesize
8KB

Download
memory/2376-208-0x0000021594C60000-0x0000021594CAC000-memory.dmp

Filesize
304KB

Download
memory/3024-87-0x0000000000400000-0x0000000000743000-memory.dmp

Filesize
3.3MB

Download