Windows Analysis Report
Extreme Injector v3.1.exe

Overview

General Information

Sample name:	Extreme Injector v3.1.exe
Analysis ID:	1658751
MD5:	439747324774204bf172a363847d8966
SHA1:	f5641e7dc34ff9f9063f4d6060242b3a541791f3
SHA256:	4faafea0f38ca06ae2405c470ac79e8e7af610236bc04f3bbc64592c4f0c88aa
Tags:	exeuser-aachum
Infos:

Detection

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Adds a directory exclusion to Windows Defender

Bypasses PowerShell execution policy

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Queries memory information (via WMI often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Allocates memory with a write watch (potentially for evading sandboxes)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe

Avira: detection malicious, Label: HEUR/AGEN.1310090

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe

ReversingLabs: Detection: 75%

Multi AV Scanner detection for submitted file

Source: Extreme Injector v3.1.exe

ReversingLabs: Detection: 58%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Neural Call Log Analysis: 87.3%

Sample uses string decryption to hide its real strings

Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Software\gogoduck
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: E?5Y>
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ,
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Win32_Processor
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Name
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: User
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: true
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: dd.MM.yyyy
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Win32_VideoController
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Admin
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: black-levels.gl.at.ply.gg:17325;127.0.0.1:1111;0.0.0.0:1111
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 127
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 1.8
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 9^!@w#l64fc
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 3qpqsxgxgkdmbc4
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Microsoft\Windows\WAppCrashNvTew
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Microsoft\MachineCore
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %UserProfile%\System32\Defender.exe
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %UserProfile%\Web\MalwareDef.exe
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: c1yo9lcycrtx
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: jgv6zovx25d
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Connect
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: @
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: SbieDll.dll
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: snxhk.dll
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: cmdvrt32.dll
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Sf2.dll
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: SxIn.dll
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Select * from Win32_CacheMemory
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Select * from CIM_Memory
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: virtual
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: innotek gmbh
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: tpvcgateway
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: VMXh
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: tpautoconnsvc
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: vbox
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: vmbox
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: vmware
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: virtualbox
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: box
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: thinapp
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: root\CIMV2
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: SELECT * FROM Win32_ComputerSystem
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Model
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Manufacturer
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: :\
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: sandbox
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: qemu-ga
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: SPICE Guest Tools
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: drivers
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: balloon.sys
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: netkvm.sys
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: pvpanic.sys
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: viofs.sys
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: viogpudo.sys
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: vioinput.sys
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: viorng.sys
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: vioser.sys
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: viostor.sys
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: amsi.dll
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: AmsiScanBuffer
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ntdll.dll
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: EtwEventWrite
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: avast
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Error
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Uninstall
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: runas
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Update
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /k timeout 5 > NUL && "
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: "
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: SaveInvoke
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Invoke
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: .exe
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: cmd
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Restart
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: false
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Exit
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Pong
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /k timeout 10 > NUL && "
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: kernel32.dll
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: GetModuleHandleA
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: SetThreadExecutionState
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: user32.dll
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: GetForegroundWindow
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: GetWindowTextA
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: GetDiskFreeSpaceEx
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: NtProtectVirtualMemory
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: #Ja9l)z$Nq48<Vj{7Ss\W6]h+Zdu;mCQU`pP>AtHF1O&c2\|G[0 ~5"-fE=3iI:%y@Xb?_(^rnR.YDKL'x*g!oevTkM}wB/,
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: kZ4Y;hH<:nc.w-roA}#K?D>`j=P5TJ(Xq%yNe^SI1z3G" d\\|Ex/l*VQf!mB&C7i)Wba[]08@pgsuOU,ML+9~6v$2RF'_t{
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Hwid
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: x2
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Win32_DiskDrive
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: WindowsControl
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %Windows%\xdwd.dll
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: SOFTWARE
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Microsoft
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Windows NT
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: CurrentVersion
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Windows
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: AppInit_DLLs
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor:
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: LoadAppInit_DLLs
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: RequireSignedAppInit_DLLs
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /C taskkill /im explorer.exe /f && TimeOut 2 && start explorer.exe
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: CD "
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: DEL "
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: " /f /q
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: .bat
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: timeout 10 > NUL
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: CMD
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: netsh advfirewall firewall add rule name="
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: " dir=in action=allow program="
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: " enable=yes & exit
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Tasks
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: & exit
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /c schtasks /deleTe /F /Tn "
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: " & exit
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /c schtasks /run /i /tn "
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /RL HIGHEST
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /c schtasks /create /f /sc minute /mo
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /tn "
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: " /tr "
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: "
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion\winlogon
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Userinit
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: C:\Windows\System32\userinit.exe,
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: C:\Windows\System32\userinit.exe
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: SELECT * FROM Win32_OperatingSystem
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Caption
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor:
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: OSArchitecture
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Error Get Version
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: SELECT * FROM
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \\
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \root\SecurityCenter2
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Select * from AntivirusProduct
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: displayName
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ;
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: N/A
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Unknown
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: [Idle]
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: SELECT * FROM Win32_PnPEntity WHERE PNPClass = 'Camera'
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: None
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: image/jpeg
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %Templates%
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %LocalApplicationData%
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %ApplicationData%
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %Cookies%
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %Windows%
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %UserProfile%
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %MyDocuments%
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %MyVideos%
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %ProgramFiles%
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %MyMusic%
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %CommonDocuments%
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: %CommonPictures%
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Ping
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: GetDLL
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Plugin.Plugin
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Run
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Load error:
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: System
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: TrustedInsraller
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: root\Microsoft\Windows\Defender
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: SELECT * FROM MSFT_MpPreference
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ComputerID
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: MSFT_MpPreference.ComputerID='
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: '
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Add
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ExclusionPath
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: J{J&p0R3P4:-*Ly-.#iqRD
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 4vRE>- -J3 ;f
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: zQ5:;.y*bQ+0?t5v9<R
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: m-76Hmif?JbYyd#?X-&zttmv;
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ; QqH.<6z<0q:;tUQz9v-)<4
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ;{y&f1Q.DmD
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ?/;vLx}y/j
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: t0K>)#f#)qx1>QM?4J;xMq
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: by9fvX)L}-z
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: :0zH<9&.4*9+L
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: *qtP-J1d;./4:YDdX?Rb&50U6
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: y:UM0).)Xx9RX x
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 3M0MX0HUp#i
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: J<qHL #H9>#y)Uf4;7
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: q X}RRm<mPzPz
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \:Q{R?mRP -;v9t
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: K}:HQDz4M ::Dd6#>0q{
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: X\|* U:41y4:4Uz
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Q#&i#f+LP 4-E-L;\|K)Rm7
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \6+f.>{3+:0\|*-HX#6
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: XK./)<5&j&9H0>z
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 0{M<5fp?t}*Jd5&t+ .
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: *9Y<YJ}EXz<X
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Xz\H7}d4Ev)
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: YqR6{1U5K#5E\|E>U;zy
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: .b66<d 6yj.K+*d
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: q91 QX-1 /4E&/x\#?*Q6Q#tK
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /f*\|1jqj#i-0z+
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: K6}J:j1\3 39EQbmY}.1q7xY1
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 6qDM9M J#<>i\|bYJQJqKH
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: *x7<?#U\qvM?6M6H KK5H>M ?
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: )i}vK#/yy9.mM qq6Y
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: *0\tRULD};6xEy<R1\
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Y5b<}&#U?}\|6\#;)
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: :\|)0qf+{R3mm6647dK0
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 9\|)HvQ#b)H/
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 3p71JLd?{>>RR
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: >?Lf\|;6.\7 4
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: x\jL- jX7}J*7:.;/#&t0M
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \f3-Jx+J}-P;-+UbL
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: iQx?9:&.?m/9Rp5d
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ?JL+3HM}6i
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: jH+<0*H 771Y)Lx&H7J;Q-3EM
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 5{D>m}zqqEb
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ?\|+P+?P;\|736}-4iKM6>J/X
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /y{++p/bQ9RvvMiMK>
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ?.jj5&R>#?}p
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: :<01bmX Htm>-q\X {.#7LL-
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 3LKLY;4y&3qjXR{04
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: QUP?mU/ij4m<)b+4{{z4
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 1)<d7X>b1Y.93
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: J:3y\|;iDD\|m#*\f3\|yQ3t-
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ?jif/6)9b6#m
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: K*v/Kj.;L.95\jJ}
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: f345Kv5Q/.>
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 1/;X{174M0zvR/3q.:0EvtK
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: p:/X {Hv<;fR0d49:7 t
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: m&/P;++d5df<.mKq&LY
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: v.d3X L\f)945zPR&jfd
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: v&*R)0dtfP/b7PEYz
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Ry\#:)YE0:
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: H}7Y{Rt-E&&\7UJJ:f6#9
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 5?H0d;qY/zP\|Q&dPjqfj
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: tUd\|?y70ppYP*-{-}/5)/4+>x
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: >EpitY}dqL#XYd\y7{E\Y)
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: p1JK7{?:}#x.j{m+
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Jb\|iK#{Ptmxzt
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \|mJ jvq}t#6P#D&<RqJU>f*JP
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Ym Lv/9p\MP>MEv&K0z
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 11 pK<\|y{E/J}}XUJK
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \|i\|.LpJ3q:&\36U:j
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: jyf #X:m3\;fDLtb\Y3
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: d7D.UJj?mq\|f-JM+Uidb
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Q))# /& +4L?1yM-fE1XL \|q
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: YJ+xY?-p3X\M99H
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: {6<KU:*M5LYjM3X;4
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: .9jQ}6M.7;>b7tp)p9
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /K+QJfU9y?:;7
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \xq*qH59KQ+Q>z4;?/+:b?dxD
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: jDU7?3jK\?L
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: <bMdxmPmp{)x\m\)?\|tji
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: <Kzp)qE4xXjUf7\
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: :D1.q Rj5\|\|b<p./m
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: J>P3L55<b?Ytvd{ \v+\|:R6m
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: q*vQdp)p#YtJ
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: +?6{:pv))1x#7zj;\.v\D:YK
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 3?/M4y3:\b*KQ.q<
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: &d1M<f;zD\#b
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 9ziRUqf3?.v)ixEq*q
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: mU<?4/pX1i4)
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: YQ5*Q&3t+U)574L;KKy
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: RDE+HU00j*
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: fjM)\m/<U7M16Mj5fH
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ;KXi3\D&RKb44}EmM
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: fD4dmK1RMyY3.J?UpD}vf+>E
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: L4U;>d;*:yL3J-5fx>{mHj01;
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /q;3P*.bY#+f\|
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: J\x.6#zpXq9f>)3j??{URtDy5
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: <>DMmH-t\|\|
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: )RJd/Qj 51XMXy4\m<M\|xPD71
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 7 M>6qUL4 &:i
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: fUQv/.<&+D46/YJ0Y<
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 6qvj9y\;Qf
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ):iq.\j*t7jMP?v&z0q >yRtQ
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 9/-:63Q{X7) fY:t
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Yi)Q:RbjDy }zD
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 34&t-7x+{M+Mj\|50
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: idX&#Y{35fYD0+&0qKR
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \|dm.by#4qdRxp)i7 0H#xK#
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 5b0b0XRqQ\i3}
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: }/<}/mU9/PP\|+MD)Jp1?x
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 6*5UHyxfpLvRPvHzt}j/
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 5bbPRLX> 1tm#id5)\4/xiY)Y
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 3K633x\|0}#Y:4*.>
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 4#}36?:Lf3)
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 1&K+.jm)q;H}bjMY/?zj#bi
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ;J5\{DydMjt\|DU#)7/0;-&0
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ;J)i+>\|?103K<Q&DJLRi
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \RM>4?; ftyp\|6EUi&f-DPf
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /P*LEMDEyXRxpm};bp+
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: fJLH>K*j0x&qM
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: #<y}5Y P *5<&+73:\|d
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: v7UEY&d}m&m
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: .+ Jzi;#KPHpz5iU?-R*0pvx
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: .04ptX:9{7}\|qRz3*H
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 7HqKMmvQDb
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: +\|Ut<R</J\|z<f
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: #6j-y-7&5#3HQ90.M*y<\M
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: }:L.Ufv<5+</+y
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: D4dM&U{RR0)Lj0Q
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: f\|}*6\|6\bx3R
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: f:\|)v3*m&Y
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: .4 fb<:qf*x-QJxff 3p&/5y
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Yx3-EfYKKm}
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: <x4Y P K\M\#&L&*9
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: *m47:x<>bKvb&<;xjfX:7
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: D<J#)bU0LJ{
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: m\|+9}\xM)&+m>Kvq5d.y
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: yvP/RUd4Qp3j<{z/{<5+J</
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 511mD.yb)-Ef;<Rmz ty?qD
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: q}5&{RM#X&4b
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: #;;6f1Yvv77j0qDj95jHUP
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: y\|<0vvdD>60Jx
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /q4&z/U/K4*z
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 3LKzXx)ixpx#Ld6z>MY
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: K<?yX/jMEt)J{L&f*;
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: t6RQiE4;0t&{bYMm59*
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 4H4X.)LEE}x 6{qy-\:E/
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: K;#}};RQ;-U7Mp+{
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \|PD67zp.bK5t./6LJJ{E 6E&
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: *dmj:-H qQKdm
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: bdy4HK{? \|q
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Xmm0/b\|5b-
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: M1D:zj6ittL\vU.{px 3
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: LJRvR&;iU)K{i\|4*LK0{>7K9z
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: byQy)5/>.q1{\|+UJPU96
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: >bv0v:6yRvmH&-3yJ<{/*K
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: MyqU\d9{\X&Dd
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ;yfv{#m)6P>U
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: <-*:z\b&mM0Q}zt\|b6>
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: b</}\|PQ1;m5m6>mb1/H*x U
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \#-fx#Qqqv}DL;1H>v->
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: JtymbRy/&P97 vR9+ *qK4/.
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: t9dLf bU4;5y?
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: -yK-M4p.;J4i\9
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: >?iER5xiyJfiz:7+tKfx
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: x\|DfY6/63qP
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: x/0YRv0{jz#>XUX*>y7U43?q
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Q>;Y&<30vy+LU:j:9
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 4++\7pMMPPtJtM-tf#v5p
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: &iUU-.1ip*J3z<)0q<x9vzm6?
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: JDU7p)&XmL5EQiH1&PLtxb{K
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \Q*1\|mPQv 5j>-M0+dR
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: zt9by jy9v7U-+x0
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: X6&YQ5LjEQLQ17E-MvRQ;KE y
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: { p*q:RU<b\|XME
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \|../JU<D<}#\|PKP/6.;13
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: d4j.0YMf1fM/3HfH+/70
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: QM)4:HJRf7qDY*)
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \m49J*9#i}bY\Y\ \|+P4.f
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: dKYd;p}7.x
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: qQm{L6;<P:
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ff--Q*/qQQ9LU0/4K
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: bLK*Q5Qyv 3yRyXiQ57
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ;yX\|-M04#x\R0x4H
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: <P*D9L7D\tq\bMjd
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 9m7E?}J &K\qjM?P
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 3:}/;Y9EP*>QY
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: {;q>}{+v1H.\j;*P/zPKpUpH7
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: i/{0HLd9LyLX//
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: K9*dY465<JiUtY0mj
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 4/;b+J;fUj3:
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: )0P3 fHLP41\) &t}Q\|4Jf;
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \33}x>*L}x/z
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \5):KjKK}X9Y*
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: .P7Mf5&4*>6H+ME0-6
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Pj>RY\|0Q+/JD6zE3
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: J.M?0p&vK?4KR+y+mE
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \|<E9P:\EL9pp/j*f)m-;
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: DE1Y67#P*4
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: yj6Ympt>:LfEy9+1d&4Ux
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: qE1)m6+p6\|YE5Q\|fR5.#+
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: vH649Q}zPQQX>YD
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 11;j7 :?1tq bE}*y&ff5
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: zMEY\#} >&6zd700z}J
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 4j)i;xM<}3pDy*xqd0j\0Riyd
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: }Mj/iK>)j;XPDdX* Li?z0/
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: < &Dy6D57Q:
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: d\pJ5v3J.46Pizv
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Xy;yK)6db1i
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: )Y01*-<3DxR<ff.fz
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \|+1pq0jm}Q)Mj#mQ0DDRUfX
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: /4\|)L \|-0/
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: *1 vP}5v\|pE#H\|q6
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 4)iHbD<HL7yqLQ>
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: m>6DUR)>*b+JY><y6
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Rb5X\|*#-Yyyx
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 0{Rbjymf<}i>b\JXJbqUfJ3
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 3-\|RE&Y6*i<:XQPYXQpQ
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: )Uz}+t:R Qi}zzqEHbH0z}
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 5f.:M<17JDzx0y
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: #Mbm)bL9\|?tYy{*y\|t+
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: +f#5Lm&7KRfJf7pqd\|f3fY:b1
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: jY)4R-mx\|-{JQ+z1fR;*
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: KY6-\&0}1?iv7vUyM
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: q#){+- t-t
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: jqptjym0>)Y
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: &pfyHUP4 Kq5\EX #
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \|RP{J/JY\6\|:
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: \|P7YK6jpX\db\ #Eq3>0
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: MUmvz7*?KM5bxyzJ1QM\|qYE
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: &E9Epp/\)*jy796}XE}ML
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: tmQUQ3DDtPLK
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: # 7D5f};RUy5qzH?<
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: -\|vMzRE3X+4>KyzX+{bKP/t
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: #.m\| j{d*>&) -)
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: L:UHt;;>d zx;ym) qt.{J
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: vHq0&4+>&&6E 099<X
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Km:9Qid-9xzyQx.v\3)}H59
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: <7fP & /J.<&mXEq. pP
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: UM1Y*&D5+45M4Q#:QMd
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: mjd?3{&/J\{JQd
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Yv4Uy}/t<E1L})5fU};LmK
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: .1.v4*;{pX)U>
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: 4>}XUM5i+4Q.R:U
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: fzL4jdytJDYm
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: Qqd;v-.01+/Jd)q{HH<Jv
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: ?+d*\|UtQ#7q.E
Source: 6.0.4ede09p1vbo55pnv.exe.c0000.0.unpack	String decryptor: & 0qP#5MiX\|9M57.f}UtE+

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49692 version: TLS 1.0

Source: Extreme Injector v3.1.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox View	IP Address: 185.199.108.133 185.199.108.133

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /master131/ExtremeInjector/master/version HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.5Host: raw.githubusercontent.comConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown

HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49692 version: TLS 1.0

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: raw.githubusercontent.com

Source: powershell.exe, 00000002.00000002.1428982417.000002923B967000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.1403986349.000002922BB19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: Extreme Injector v3.exe, 00000001.00000002.2544243963.0000000003442000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://raw.githubusercontent.com
Source: powershell.exe, 00000002.00000002.1403986349.000002922BB19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: Extreme Injector v3.exe, 00000001.00000002.2544243963.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.1403986349.000002922B8F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.1403986349.000002922BB19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000002.00000002.1403986349.000002922BB19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000002.00000002.1403986349.000002922B8F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000002.00000002.1428982417.000002923B967000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.1428982417.000002923B967000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.1428982417.000002923B967000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.1403986349.000002922BB19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: Extreme Injector v3.exe, 00000001.00000002.2544243963.000000000347C000.00000004.00000800.00020000.00000000.sdmp, Extreme Injector v3.exe, 00000001.00000002.2550726738.000000001BBD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/master131/ExtremeInjector
Source: Extreme Injector v3.exe, 00000001.00000002.2550726738.000000001BBD5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/master131/ExtremeInjector0
Source: powershell.exe, 00000002.00000002.1439947701.0000029243F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ion=v4.5
Source: powershell.exe, 00000002.00000002.1428982417.000002923B967000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: Extreme Injector v3.exe, 00000001.00000002.2544243963.00000000033B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com
Source: Extreme Injector v3.exe, 00000001.00000002.2544243963.00000000032D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/master131/ExtremeInjector/master/version

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443

Detected potential crypto function

Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Code function: 0_2_00007FF7C7C60A89	0_2_00007FF7C7C60A89
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Code function: 1_2_00007FF7C7C5450C	1_2_00007FF7C7C5450C
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Code function: 1_2_00007FF7C7C52511	1_2_00007FF7C7C52511
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Code function: 1_2_00007FF7C7C50C48	1_2_00007FF7C7C50C48
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Code function: 1_2_00007FF7C7C50BA7	1_2_00007FF7C7C50BA7
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Code function: 1_2_00007FF7C7C516F0	1_2_00007FF7C7C516F0
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Code function: 1_2_00007FF7C7D00068	1_2_00007FF7C7D00068
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 6_2_00007FF7C7C59366	6_2_00007FF7C7C59366
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 6_2_00007FF7C7C503ED	6_2_00007FF7C7C503ED
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 6_2_00007FF7C7C58FFC	6_2_00007FF7C7C58FFC
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 6_2_00007FF7C7C59000	6_2_00007FF7C7C59000
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 6_2_00007FF7C7C5865F	6_2_00007FF7C7C5865F
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 8_2_00007FF7C7C69366	8_2_00007FF7C7C69366
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 8_2_00007FF7C7C603ED	8_2_00007FF7C7C603ED
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 8_2_00007FF7C7C68FFC	8_2_00007FF7C7C68FFC
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 8_2_00007FF7C7C69000	8_2_00007FF7C7C69000
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 8_2_00007FF7C7C6865F	8_2_00007FF7C7C6865F
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 9_2_00007FF7C7C4865F	9_2_00007FF7C7C4865F
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 9_2_00007FF7C7C49366	9_2_00007FF7C7C49366
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 9_2_00007FF7C7C403ED	9_2_00007FF7C7C403ED
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 9_2_00007FF7C7C48FFC	9_2_00007FF7C7C48FFC
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 9_2_00007FF7C7C49000	9_2_00007FF7C7C49000
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 9_2_00007FF7C7C46188	9_2_00007FF7C7C46188

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe 0AC3387B6E0283C972722C2A6664EE23AC5BA10640D18B827E8732F5C57E7D2C

PE file does not import any functions

Source: Extreme Injector v3.1.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: Extreme Injector v3.1.exe, 00000000.00000002.1451067456.0000000003931000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameClient.exe. vs Extreme Injector v3.1.exe
Source: Extreme Injector v3.1.exe, 00000000.00000000.1295161404.000000000050C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameXBinderOutput.exe4 vs Extreme Injector v3.1.exe
Source: Extreme Injector v3.1.exe	Binary or memory string: OriginalFilenameXBinderOutput.exe4 vs Extreme Injector v3.1.exe

Source: Extreme Injector v3.1.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 4ede09p1vbo55pnv.exe, 00000006.00000002.1450671023.00000000005DC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ;.VBp

Source: classification engine

Classification label: mal100.evad.winEXE@11/10@1/1

Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Extreme Injector v3.1.exe.log

Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Mutant created: \Sessions\1\BaseNamedObjects\RPnuCplKRbSrtRZ45
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03

Source: unknown	Process created: C:\Users\user\Desktop\Extreme Injector v3.1.exe "C:\Users\user\Desktop\Extreme Injector v3.1.exe"
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Process created: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe "C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe"
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Process created: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe "C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe "C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe "C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe"
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Process created: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe "C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe'	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Process created: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe "C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Code function: 0_2_00007FF7C7C604A8 push es; iretd	0_2_00007FF7C7C61957
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Code function: 0_2_00007FF7C7C600BD pushad ; iretd	0_2_00007FF7C7C600C1
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Code function: 0_2_00007FF7C7C6165C push es; iretd	0_2_00007FF7C7C61957
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Code function: 1_2_00007FF7C7C500BD pushad ; iretd	1_2_00007FF7C7C500C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF7C7B4D2A5 pushad ; iretd	2_2_00007FF7C7B4D2A6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF7C7C600BD pushad ; iretd	2_2_00007FF7C7C600C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF7C7C62823 push eax; ret	2_2_00007FF7C7C62824
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF7C7C62813 push eax; ret	2_2_00007FF7C7C62814
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF7C7C6965B pushad ; ret	2_2_00007FF7C7C6965C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF7C7C65D7B pushad ; ret	2_2_00007FF7C7C65D7C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF7C7C6211D push ecx; ret	2_2_00007FF7C7C623F2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 2_2_00007FF7C7D32316 push 8B485F92h; iretd	2_2_00007FF7C7D3231B
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 6_2_00007FF7C7C51EEA push FFFFFFE8h; ret	6_2_00007FF7C7C51EF9
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 6_2_00007FF7C7C500BD pushad ; iretd	6_2_00007FF7C7C500C1
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 6_2_00007FF7C7C57664 push es; iretd	6_2_00007FF7C7C5766A
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 6_2_00007FF7C7C58169 push ebx; ret	6_2_00007FF7C7C5816A
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 6_2_00007FF7C7C57523 push ebx; iretd	6_2_00007FF7C7C5756A
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 8_2_00007FF7C7C61EEA push FFFFFFE8h; ret	8_2_00007FF7C7C61EF9
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 8_2_00007FF7C7C600BD pushad ; iretd	8_2_00007FF7C7C600C1
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 8_2_00007FF7C7C68169 push ebx; ret	8_2_00007FF7C7C6816A
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 8_2_00007FF7C7C65D58 push eax; iretd	8_2_00007FF7C7C65D5A
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 8_2_00007FF7C7C67523 push ebx; iretd	8_2_00007FF7C7C6756A
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 9_2_00007FF7C7C41EEA push FFFFFFE8h; ret	9_2_00007FF7C7C41EF9
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 9_2_00007FF7C7C400BD pushad ; iretd	9_2_00007FF7C7C400C1
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 9_2_00007FF7C7C48169 push ebx; ret	9_2_00007FF7C7C4816A
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Code function: 9_2_00007FF7C7C47523 push ebx; iretd	9_2_00007FF7C7C4756A

Source: Extreme Injector v3.1.exe	Static PE information: section name: .text entropy: 7.998680791708922
Source: Extreme Injector v3.exe.0.dr	Static PE information: section name: .text entropy: 7.262282176772992

Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	File created: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	File created: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ede09p1vbo55pnv			Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 4ede09p1vbo55pnv			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_CacheMemory
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from CIM_Memory

Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Memory allocated: E40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Memory allocated: 1B930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Memory allocated: 1760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Memory allocated: 1B2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Memory allocated: 970000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Memory allocated: 1A4F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Memory allocated: 1480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Memory allocated: 1B400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Memory allocated: 7F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Memory allocated: 1A310000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6195			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3337			Jump to behavior

Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe TID: 8140	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7696	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe TID: 2668	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe TID: 3204	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe TID: 3384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: 4ede09p1vbo55pnv.exe.0.dr	Binary or memory string: vMCilypWyNMJIYzwpx
Source: Extreme Injector v3.exe, 00000001.00000002.2550726738.000000001BBD5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Extreme Injector v3.1.exe	Queries volume information: C:\Users\user\Desktop\Extreme Injector v3.1.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe VolumeInformation	Jump to behavior

ID:	1658751
Product:	CloudBasic
Start time:	23:18:14
Start date:	07.04.2025
Sample:	Extreme Injector v3.1.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	439747324774204bf172a363847d8966
SHA1:	f5641e7dc34ff9f9063f4d6060242b3a541791f3
SHA256:	4faafea0f38ca06ae2405c470ac79e8e7af610236bc04f3bbc64592c4f0c88aa
Filetype:	Win64 Executable GUI Net Framework (217006/5) 49.88%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\4ede09p1vbo55pnv.exe.log	CSV text	F73EF0CF34F9748349B7DC26D23369A1	9F1AA6A1896EE82B13E910AFF27CB179ECAA77B5	6B8272C1059743AA45FBEB2E303FEFB6F591D3D374FB78252432881E38E21EFD
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Extreme Injector v3.1.exe.log	CSV text	30E4BDFC34907D0E4D11152CAEBE27FA	825402D6B151041BA01C5117387228EC9B7168BF	A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	AB80AD9A08E5B16132325DF5584B2CBE	F7411B7A5826EE6B139EBF40A7BEE999320EF923	5FBE5D71CECADD2A3D66721019E68DD78C755AA39991A629AE81C77B531733A4
C:\Users\user\AppData\Local\Temp\4ede09p1vbo55pnv.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	D8089CAD3290D01D53ED09DB79360152	891C7C239C7259756F6E8B54AF7C7C00647E0650	0F46DCAB61DEA7B20E6955AA4CF152B4C4840740A93B79D0BCB6A0FBB7CB1163
C:\Users\user\AppData\Local\Temp\Extreme Injector v3.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	C4394FB4DAAF350CDBF5303D812E917E	6A780C9F1C15E555B72640299B9C10E7927252F6	0AC3387B6E0283C972722C2A6664EE23AC5BA10640D18B827E8732F5C57E7D2C
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0pnnl3pn.nqj.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j2scm1g1.uny.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_soib2db2.i3r.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xwf4mfft.jii.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\Desktop\settings.xml	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (341), with CRLF line terminators	76F13552CC3C56AE346DDBE67F0E0EAC	E815C361243CF4BB48CF7806B12FE71CF4061CC8	D4189AEE59F1503AA4DA022D17C41DAF10FF5FA4F87468CAE6CD0175AAC50A34

Windows Analysis Report Extreme Injector v3.1.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
Extreme Injector v3.1.exe