Windows Analysis Report
InjectToolInstaller.exe

Overview

General Information

Sample name:	InjectToolInstaller.exe
Analysis ID:	1417459
MD5:	86daf2965a3ac93c7119b5eccbeca489
SHA1:	ac7b034df5b8e42dfaa21ee7cf6656664a7dcf02
SHA256:	358bdb901a68378a995c91b5d500c579851b1ced09c28060e03734f8b48c0c80
Infos:

Detection

PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Yara detected PureLog Stealer

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Command shell drops VBS files

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject threads in other processes

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Installs new ROOT certificates

Potential malicious VBS script found (suspicious strings)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: https://wprogs.top/wefrgdf/bndwaf.exe	Avira URL Cloud: Label: malware
Source: https://wprogs.top:80/wefrgdf/bndwaf.exe	Avira URL Cloud: Label: malware
Source: https://wprogs.top/wefrgdf/bndwaf.exe#	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\21.mp3

Avira: detection malicious, Label: HEUR/AGEN.1332199

Multi AV Scanner detection for domain / URL

Source: wprogs.top

Virustotal: Detection: 20%

Perma Link

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A37E8 GetProcAddress,GetProcAddress,CryptProtectMemory,CryptUnprotectMemory,GetCurrentProcessId,		24_2_000000013F2A37E8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00570420 RegQueryValueExA,RegCloseKey,CryptUnprotectData,CryptUnprotectData,LocalFree,		48_2_00570420

Uses 32bit PE files

Source: InjectToolInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: InjectToolInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: insta313tg.exe, 0000002A.00000002.471726274.0000000004CB0000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: insta313tg.exe, 0000002A.00000002.471726274.0000000004CB0000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\git-sdk-64\usr\src\MSYS2-packages\p7zip\src\p7zip_16.02.bup\CPP\7zip\Bundles\SFXSetup\ReleaseD\7zSD.pdb source: InjectToolInstaller.exe
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: data.exe, 00000018.00000002.449019686.000000013F2CC000.00000002.00000001.01000000.00000006.sdmp, data.exe, 00000018.00000000.406984919.000000013F2CC000.00000002.00000001.01000000.00000006.sdmp, data.dat.2.dr
Source:	Binary string: protobuf-net.pdb source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Windows\SysWOW64\cmd.exe	Directory queried: number of queries: 1617
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Directory queried: number of queries: 1043

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013AABAF FindFirstFileA,FindFirstFileW,	0_2_013AABAF
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E783F FindFirstFileExA,	0_2_013E783F
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7AF7 FindFirstFileExW,FindClose,FindNextFileW,	0_2_013E7AF7
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7CAD FindFirstFileExA,	0_2_013E7CAD
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7CD8 FindFirstFileExW,	0_2_013E7CD8
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29DDB0 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	24_2_000000013F29DDB0
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C4150 FindFirstFileExA,	24_2_000000013F2C4150
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B3000 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,swprintf,SetDlgItemTextW,FindClose,swprintf,SetDlgItemTextW,SendDlgItemMessageW,swprintf,SetDlgItemTextW,swprintf,SetDlgItemTextW,	24_2_000000013F2B3000
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055E150 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock,	48_2_0055E150
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock,	48_2_0058E2D0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock,	48_2_0055A750
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00570D83 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	48_2_00570D83
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0062D997 FindClose,FindFirstFileExW,GetLastError,	48_2_0062D997
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0064CD90 FindFirstFileExW,	48_2_0064CD90

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013AAEC5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

0_2_013AAEC5

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\build	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\build\lib	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules\emoji-regex	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules\ansi-regex	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 049FDED9h	42_2_049FDE78
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	42_2_04A041A8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 04A0A805h	42_2_04A0A631
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 04A0A805h	42_2_04A0A640
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 04A0A805h	42_2_04A0A7C5
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	42_2_04A041A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 04A0A805h	42_2_04A0A9B8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	42_2_04DFD950

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.22:49167 -> 116.203.183.140:54151
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 116.203.183.140:54151 -> 192.168.2.22:49167

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 116.203.183.140:54151

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 104.26.4.15 104.26.4.15

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

May check the online IP address of the machine

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005D5240 GetProcessHeap,InternetOpenA,InternetOpenA,InternetOpenUrlA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,CharNextA,CharNextA,CharNextA,CharNextA,

48_2_005D5240

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: package.json44.0.dr, package.json69.0.dr, package.json14.0.dr, package.json97.0.dr, package.json110.0.dr, package.json38.0.dr, package.json94.0.dr, package.json2.0.dr	String found in binary or memory: http://blog.izs.me/)
Source: 21.mp3.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 21.mp3.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 21.mp3.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 21.mp3.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: diff.js0.0.dr, dmp.js.0.dr	String found in binary or memory: http://code.google.com/p/google-diff-match-patch/wiki/API
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: 21.mp3.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 21.mp3.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 21.mp3.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 21.mp3.24.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 21.mp3.24.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 21.mp3.24.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 21.mp3.24.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sbom-cyclonedx.js.0.dr	String found in binary or memory: http://cyclonedx.org/schema/bom-1.5.schema.json
Source: conversions.js.0.dr	String found in binary or memory: http://dev.w3.org/csswg/css-color/#hwb-to-rgb
Source: package.json10.0.dr	String found in binary or memory: http://flipjs.io/)
Source: package.json137.0.dr	String found in binary or memory: http://github.com/DABH/colors.js.git
Source: imurmurhash.min.js.0.dr	String found in binary or memory: http://github.com/garycourt/murmurhash-js
Source: imurmurhash.min.js.0.dr	String found in binary or memory: http://github.com/homebrewing/brauhaus-diff
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: http://github.com/kpdecker/jsdiff/issues
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: http://github.com/kpdecker/jsdiff/issues).
Source: index.mjs0.0.dr, index.cjs0.0.dr, index.mjs.0.dr	String found in binary or memory: http://jsonpatch.com
Source: route.js.0.dr	String found in binary or memory: http://jsperf.com/1-vs-infinity
Source: package.json147.0.dr	String found in binary or memory: http://n8.io/
Source: package.json145.0.dr	String found in binary or memory: http://n8.io/)
Source: npm-audit.md.0.dr	String found in binary or memory: http://npm.im/
Source: npm-init.md.0.dr	String found in binary or memory: http://npm.im/init-package-json)
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: 21.mp3.24.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 21.mp3.24.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 21.mp3.24.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 21.mp3.24.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: package.json42.0.dr	String found in binary or memory: http://shannonmoeller.com)
Source: imurmurhash.min.js.0.dr	String found in binary or memory: http://sites.google.com/site/murmurhash/
Source: browser.js2.0.dr	String found in binary or memory: http://stackoverflow.com/a/16459606/376773
Source: browser.js2.0.dr	String found in binary or memory: http://stackoverflow.com/a/398120/376773
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html)
Source: LICENSE65.0.dr	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/ucs/wcwidth.c).
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: 21.mp3.24.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: escape.js1.0.dr	String found in binary or memory: http://www.robvanderwoude.com/escapechars.php
Source: insta313tg.exe, 0000002A.00000002.470797690.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604503591.000000000065F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: npm-install.md.0.dr	String found in binary or memory: https://bitbucket.org/bitbucketname/bitbucketrepo
Source: npm-start.md.0.dr	String found in binary or memory: https://blog.npmjs.org/post/98131109725/npm-2-0-0)
Source: LICENSE.md11.0.dr	String found in binary or memory: https://blueoakcouncil.org/license/1.0.0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43=OW
Source: browser.js2.0.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Styling_messages
Source: npm-team.md.0.dr	String found in binary or memory: https://docs.npmjs.com/about-developers-team
Source: init.js.0.dr	String found in binary or memory: https://docs.npmjs.com/cli/commands/npx
Source: npm.md.0.dr	String found in binary or memory: https://docs.npmjs.com/policies/terms.
Source: npm-unpublish.md.0.dr	String found in binary or memory: https://docs.npmjs.com/policies/unpublish
Source: package.json33.0.dr	String found in binary or memory: https://feross.org
Source: package.json33.0.dr	String found in binary or memory: https://feross.org/support
Source: npm-install.md.0.dr	String found in binary or memory: https://gist.github.com/gistID
Source: package.json137.0.dr	String found in binary or memory: https://github.com/DABH
Source: package.json137.0.dr	String found in binary or memory: https://github.com/DABH/colors.js
Source: package.json137.0.dr	String found in binary or memory: https://github.com/DABH/colors.js/issues
Source: enoent.js.0.dr	String found in binary or memory: https://github.com/IndigoUnited/node-cross-spawn/issues/16
Source: utils.js.0.dr	String found in binary or memory: https://github.com/Marak/colors.js/blob/master/lib/styles.js
Source: package.json147.0.dr, package.json145.0.dr	String found in binary or memory: https://github.com/TooTallNate/proxy-agents.git
Source: package.json115.0.dr, package.json138.0.dr	String found in binary or memory: https://github.com/chalk/ansi-regex?sponsor=1
Source: npm.js.0.dr	String found in binary or memory: https://github.com/chalk/chalk/pull/600
Source: package.json37.0.dr	String found in binary or memory: https://github.com/chalk/chalk?sponsor=1
Source: package.json128.0.dr, package.json130.0.dr	String found in binary or memory: https://github.com/chalk/wrap-ansi?sponsor=1
Source: browser.js2.0.dr	String found in binary or memory: https://github.com/facebook/react-native/pull/1632
Source: package.json33.0.dr	String found in binary or memory: https://github.com/feross/buffer
Source: package.json33.0.dr	String found in binary or memory: https://github.com/feross/buffer/issues
Source: completion.fish.0.dr	String found in binary or memory: https://github.com/fish-shell/fish-shell/blob/HEAD/share/completions/npm.fish
Source: npm.md.0.dr	String found in binary or memory: https://github.com/git-guides/install-git)
Source: npm-install.md.0.dr	String found in binary or memory: https://github.com/githubname/githubrepo
Source: process-exec-sync.js.0.dr	String found in binary or memory: https://github.com/gvarsanyi/sync-exec/blob/master/js/sync-exec.js
Source: npm-install.md.0.dr	String found in binary or memory: https://github.com/indexzero/forever/tarball/v0.5.6
Source: package.json97.0.dr	String found in binary or memory: https://github.com/isaacs/color-support.git
Source: package.json105.0.dr	String found in binary or memory: https://github.com/isaacs/common-ancestor-path
Source: package.json2.0.dr	String found in binary or memory: https://github.com/isaacs/inflight
Source: package.json2.0.dr	String found in binary or memory: https://github.com/isaacs/inflight/issues
Source: package.json14.0.dr	String found in binary or memory: https://github.com/isaacs/isexe#readme
Source: package.json14.0.dr	String found in binary or memory: https://github.com/isaacs/isexe.git
Source: package.json14.0.dr	String found in binary or memory: https://github.com/isaacs/isexe/issues
Source: package.json20.0.dr	String found in binary or memory: https://github.com/isaacs/jackspeak.git
Source: package.json25.0.dr	String found in binary or memory: https://github.com/isaacs/json-stringify-nice
Source: package.json100.0.dr	String found in binary or memory: https://github.com/isaacs/minipass-sized.git
Source: package.json110.0.dr, package.json94.0.dr	String found in binary or memory: https://github.com/isaacs/minipass.git
Source: package.json116.0.dr	String found in binary or memory: https://github.com/isaacs/node-mkdirp.git
Source: package.json46.0.dr	String found in binary or memory: https://github.com/isaacs/node-tar.git
Source: package.json143.0.dr	String found in binary or memory: https://github.com/isaacs/string-locale-compare
Source: package.json92.0.dr	String found in binary or memory: https://github.com/isaacs/walk-up-path
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: https://github.com/kpdecker/jsdiff/pull/new/master
Source: utils.js.0.dr	String found in binary or memory: https://github.com/matheussampaio
Source: package.json139.0.dr	String found in binary or memory: https://github.com/mathiasbynens/emoji-regex.git
Source: package.json139.0.dr	String found in binary or memory: https://github.com/mathiasbynens/emoji-regex/issues
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: CONTRIBUTING.md.0.dr	String found in binary or memory: https://github.com/nodejs/admin/blob/master/CODE_OF_CONDUCT.md)
Source: update-gyp.py.0.dr	String found in binary or memory: https://github.com/nodejs/gyp-next/archive/
Source: npm.md.0.dr	String found in binary or memory: https://github.com/nodejs/node-gyp)
Source: npm.md.0.dr	String found in binary or memory: https://github.com/nodejs/node-gyp/wiki).
Source: index.js58.0.dr	String found in binary or memory: https://github.com/nodejs/node/blob/b3fcc245fb25539909ef1d5eaa01dbf92e168633/lib/path.js#L56
Source: index.js3.0.dr	String found in binary or memory: https://github.com/nodejs/node/issues/42785
Source: package.json148.0.dr	String found in binary or memory: https://github.com/npm/agent#readme
Source: package.json148.0.dr	String found in binary or memory: https://github.com/npm/agent.git
Source: package.json148.0.dr	String found in binary or memory: https://github.com/npm/agent/issues
Source: package.json135.0.dr, package.json136.0.dr	String found in binary or memory: https://github.com/npm/cli#readme
Source: package.json135.0.dr, package.json136.0.dr	String found in binary or memory: https://github.com/npm/cli.git
Source: npm.md.0.dr	String found in binary or memory: https://github.com/npm/cli/blob/latest/CONTRIBUTING.md)
Source: package.json135.0.dr, error-message.js.0.dr, package.json136.0.dr, exit-handler.js.0.dr, npm.md.0.dr	String found in binary or memory: https://github.com/npm/cli/issues
Source: index.js71.0.dr	String found in binary or memory: https://github.com/npm/cli/issues/969
Source: index.js71.0.dr	String found in binary or memory: https://github.com/npm/cli/issues/969#issuecomment-737496588
Source: package.json89.0.dr	String found in binary or memory: https://github.com/npm/cmd-shim.git
Source: index.js71.0.dr	String found in binary or memory: https://github.com/npm/cmd-shim/issues/10
Source: package.json149.0.dr	String found in binary or memory: https://github.com/npm/disparity-colors.git
Source: npm.md.0.dr	String found in binary or memory: https://github.com/npm/feedback
Source: package.json44.0.dr	String found in binary or memory: https://github.com/npm/fs-minipass#readme
Source: package.json44.0.dr	String found in binary or memory: https://github.com/npm/fs-minipass.git
Source: package.json44.0.dr	String found in binary or memory: https://github.com/npm/fs-minipass/issues
Source: package.json150.0.dr	String found in binary or memory: https://github.com/npm/fs.git
Source: package.json2.0.dr	String found in binary or memory: https://github.com/npm/inflight.git
Source: package.json6.0.dr	String found in binary or memory: https://github.com/npm/init-package-json.git
Source: package.json19.0.dr	String found in binary or memory: https://github.com/npm/json-parse-even-better-errors.git
Source: package.json88.0.dr	String found in binary or memory: https://github.com/npm/minipass-fetch.git
Source: package.json93.0.dr	String found in binary or memory: https://github.com/npm/minipass-json-stream.git
Source: package.json126.0.dr	String found in binary or memory: https://github.com/npm/mute-stream.git
Source: package.json56.0.dr	String found in binary or memory: https://github.com/npm/npm-install-checks.git
Source: package.json61.0.dr	String found in binary or memory: https://github.com/npm/npm-package-arg
Source: package.json61.0.dr	String found in binary or memory: https://github.com/npm/npm-package-arg.git
Source: package.json61.0.dr	String found in binary or memory: https://github.com/npm/npm-package-arg/issues
Source: npm-dist-tag.md.0.dr	String found in binary or memory: https://github.com/npm/npm/issues/6082
Source: package.json67.0.dr	String found in binary or memory: https://github.com/npm/npmlog.git
Source: npm.md.0.dr	String found in binary or memory: https://github.com/npm/rfcs
Source: update.js.0.dr	String found in binary or memory: https://github.com/npm/rfcs/blob/latest/implemented/0019-remove-update-depth-option.md
Source: package.json50.0.dr	String found in binary or memory: https://github.com/npm/treeverse.git
Source: package.json62.0.dr	String found in binary or memory: https://github.com/npm/validate-npm-package-name
Source: package.json62.0.dr	String found in binary or memory: https://github.com/npm/validate-npm-package-name.git
Source: package.json62.0.dr	String found in binary or memory: https://github.com/npm/validate-npm-package-name/issues
Source: package.json134.0.dr	String found in binary or memory: https://github.com/npm/write-file-atomic
Source: package.json134.0.dr	String found in binary or memory: https://github.com/npm/write-file-atomic.git
Source: package.json134.0.dr	String found in binary or memory: https://github.com/npm/write-file-atomic/issues
Source: package.json42.0.dr	String found in binary or memory: https://github.com/shannonmoeller/cli-columns#readme
Source: index.js28.0.dr	String found in binary or memory: https://github.com/sindresorhus/has-flag/blob/main/index.js
Source: package.json33.0.dr	String found in binary or memory: https://github.com/sponsors/feross
Source: package.json20.0.dr, package.json25.0.dr	String found in binary or memory: https://github.com/sponsors/isaacs
Source: package.json39.0.dr	String found in binary or memory: https://github.com/sponsors/sibiraj-s
Source: package.json70.0.dr, package.json140.0.dr	String found in binary or memory: https://github.com/sponsors/sindresorhus
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: https://github.com/walmartlabs/generator-release
Source: package.json39.0.dr	String found in binary or memory: https://github.com/watson/ci-info
Source: package.json39.0.dr	String found in binary or memory: https://github.com/watson/ci-info.git
Source: package.json39.0.dr	String found in binary or memory: https://github.com/watson/ci-info/issues
Source: package.json15.0.dr	String found in binary or memory: https://github.com/watson/is-lambda
Source: package.json15.0.dr	String found in binary or memory: https://github.com/watson/is-lambda.git
Source: package.json15.0.dr	String found in binary or memory: https://github.com/watson/is-lambda/issues
Source: package.json49.0.dr	String found in binary or memory: https://github.com/wildlyinaccurate/relative-date.git
Source: index.js67.0.dr	String found in binary or memory: https://github.com/yetingli
Source: npm-install.md.0.dr	String found in binary or memory: https://gitlab.com/gitlabname/gitlabrepo
Source: index.js130.0.dr	String found in binary or memory: https://hackerone.com/reports/541502
Source: insta313tg.exe, insta313tg.exe, 00000030.00000002.604627485.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: insta313tg.exe, 0000002A.00000002.470797690.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604503591.000000000065F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/m3m1
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43=OW
Source: package.json105.0.dr, package.json25.0.dr, package.json92.0.dr, package.json143.0.dr, package.json93.0.dr, package.json100.0.dr	String found in binary or memory: https://izs.me)
Source: route.js.0.dr	String found in binary or memory: https://jsperf.com/object-keys-vs-for-in-with-closure/3
Source: package.json63.0.dr	String found in binary or memory: https://kemitchell.com)
Source: LICENSE-MIT.txt1.0.dr, LICENSE-MIT.txt0.0.dr, package.json139.0.dr	String found in binary or memory: https://mathiasbynens.be/
Source: cssesc.js.0.dr	String found in binary or memory: https://mathiasbynens.be/notes/css-escapes#css
Source: cssesc.js.0.dr	String found in binary or memory: https://mths.be/cssesc
Source: index.js107.0.dr, text.js.0.dr, text.js0.0.dr, RGI_Emoji.js1.0.dr	String found in binary or memory: https://mths.be/emoji
Source: package.json139.0.dr	String found in binary or memory: https://mths.be/emoji-regex
Source: validate-engines.js.0.dr	String found in binary or memory: https://nodejs.org/.
Source: polyfill.js.0.dr	String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: options.js2.0.dr	String found in binary or memory: https://nodejs.org/api/http.html#new-agentoptions
Source: doctor.js.0.dr	String found in binary or memory: https://nodejs.org/dist/index.json
Source: npm-init.md.0.dr	String found in binary or memory: https://npm.im/create-esm):
Source: npm-init.md.0.dr	String found in binary or memory: https://npm.im/create-react-app)
Source: npm-init.md.0.dr	String found in binary or memory: https://npm.im/create-react-app):
Source: npm-access.md.0.dr	String found in binary or memory: https://npm.im/libnpmaccess)
Source: npm-search.md.0.dr	String found in binary or memory: https://npm.im/npm-registry-fetch
Source: escape.js1.0.dr	String found in binary or memory: https://qntm.org/cmd
Source: npm.md.0.dr	String found in binary or memory: https://registry.npmjs.org
Source: npm-audit.md.0.dr	String found in binary or memory: https://registry.npmjs.org/-/npm/v1/keys
Source: npm-audit.md.0.dr	String found in binary or memory: https://registry.npmjs.org/light-cycle/1.4.3)
Source: package.json149.0.dr	String found in binary or memory: https://ruyadorno.com
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: package.json70.0.dr, package.json128.0.dr, package.json130.0.dr, package.json115.0.dr, package.json138.0.dr, package.json140.0.dr	String found in binary or memory: https://sindresorhus.com
Source: license3.0.dr	String found in binary or memory: https://sindresorhus.com)
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: completion.fish.0.dr	String found in binary or memory: https://stackoverflow.com/questions/16657803/creating-autocomplete-script-with-sub-commands
Source: SmzK98tFGb6qzdocFm21bMi.zip.48.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot3
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: index.js131.0.dr	String found in binary or memory: https://tools.ietf.org/html/rfc1928#section-3
Source: package.json39.0.dr, package.json15.0.dr	String found in binary or memory: https://twitter.com/wa7son)
Source: package.json49.0.dr	String found in binary or memory: https://wildlyinaccurate.com/)
Source: insta313tg.exe, 00000030.00000002.604920729.000000000388C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top/
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top/wefrgdf/bndwaf.exe
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top/wefrgdf/bndwaf.exe#
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top/wefrgdf/rwrgtf.exe
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top:80/wefrgdf/bndwaf.exe
Source: diff.js0.0.dr	String found in binary or memory: https://www.artima.com/weblogs/viewpost.jsp?thread=164293
Source: 21.mp3.24.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: insta313tg.exe, 00000030.00000002.604873398.0000000003241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26aqs%3Dchrome..69i57j46j0l3j46j0.427j0j7%26sou
Source: insta313tg.exe, 00000030.00000002.604873398.0000000003241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf%2B5.1%26aqs%3Dchrome..69i57j0l7.3167j0j7%26
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/search?q=net
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/search?q=wmf
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/sorry/index
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
Source: insta313tg.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: error-message.js.0.dr	String found in binary or memory: https://www.npmjs.com/forgot
Source: bugs.js.0.dr	String found in binary or memory: https://www.npmjs.com/package/$
Source: npm-install.md.0.dr	String found in binary or memory: https://www.npmjs.com/package/validate-npm-package-name#naming-rules).
Source: package.json33.0.dr	String found in binary or memory: https://www.patreon.com/feross

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_0055AF30 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,

48_2_0055AF30

System Summary

Potential malicious VBS script found (suspicious strings)

Source: C:\Windows\SysWOW64\cmd.exe

Dropped file: createobject("shell.application").shellexecute "C:\Users\user\AppData\Local\Temp\insta313tg.exe",,,"runas",1

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}\ProgID

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\net1.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\net.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\net1.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 770B0000 page execute and read and write

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\data.exe

Code function: 24_2_000000013F29903C: wcscpy,CreateFileW,CloseHandle,wcscpy,wcscpy,CreateDirectoryW,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

24_2_000000013F29903C

Detected potential crypto function

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013B176C	0_2_013B176C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013BBBFC	0_2_013BBBFC
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DC1E1	0_2_013DC1E1
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A42C3	0_2_013A42C3
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C857E	0_2_013C857E
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DC43E	0_2_013DC43E
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DC6AA	0_2_013DC6AA
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DC907	0_2_013DC907
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C2971	0_2_013C2971
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013FAB22	0_2_013FAB22
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DCB64	0_2_013DCB64
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F4A20	0_2_013F4A20
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DCDD0	0_2_013DCDD0
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F4F60	0_2_013F4F60
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C2E6D	0_2_013C2E6D
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A1169	0_2_013A1169
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A1202	0_2_013A1202
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C3285	0_2_013C3285
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F359C	0_2_013F359C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F5410	0_2_013F5410
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DB4B1	0_2_013DB4B1
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C36BA	0_2_013C36BA
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DB6E0	0_2_013DB6E0
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A1939	0_2_013A1939
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DB91A	0_2_013DB91A
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F5B3F	0_2_013F5B3F
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DBB49	0_2_013DBB49
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A1A78	0_2_013A1A78
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C3AEF	0_2_013C3AEF
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DBD78	0_2_013DBD78
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DBFB2	0_2_013DBFB2
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29ADE8	24_2_000000013F29ADE8
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A2550	24_2_000000013F2A2550
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B23F0	24_2_000000013F2B23F0
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F297C4C	24_2_000000013F297C4C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2942C4	24_2_000000013F2942C4
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A5008	24_2_000000013F2A5008
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29370C	24_2_000000013F29370C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A4704	24_2_000000013F2A4704
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C3F44	24_2_000000013F2C3F44
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C6760	24_2_000000013F2C6760
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A9790	24_2_000000013F2A9790
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2BCF94	24_2_000000013F2BCF94
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C9F68	24_2_000000013F2C9F68
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2955F8	24_2_000000013F2955F8
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2AD650	24_2_000000013F2AD650
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F292E60	24_2_000000013F292E60
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2ACE2C	24_2_000000013F2ACE2C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2BCD18	24_2_000000013F2BCD18
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B353C	24_2_000000013F2B353C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A2D78	24_2_000000013F2A2D78
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B0DAC	24_2_000000013F2B0DAC
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C0CDC	24_2_000000013F2C0CDC
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A9AFC	24_2_000000013F2A9AFC
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A3394	24_2_000000013F2A3394
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A9378	24_2_000000013F2A9378
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F295A30	24_2_000000013F295A30
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C6290	24_2_000000013F2C6290
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A0120	24_2_000000013F2A0120
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2978E4	24_2_000000013F2978E4
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A39C4	24_2_000000013F2A39C4
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A71AC	24_2_000000013F2A71AC
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A9060	24_2_000000013F2A9060
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A8858	24_2_000000013F2A8858
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29903C	24_2_000000013F29903C
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_00516DF8	42_2_00516DF8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_005156B8	42_2_005156B8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_00517BA8	42_2_00517BA8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_00516DE8	42_2_00516DE8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D7014	42_2_020D7014
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D4868	42_2_020D4868
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D5C1B	42_2_020D5C1B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DA000	42_2_020DA000
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DA002	42_2_020DA002
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DB040	42_2_020DB040
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DF760	42_2_020DF760
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DF770	42_2_020DF770
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D45A0	42_2_020D45A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D45B0	42_2_020D45B0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D4859	42_2_020D4859
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_043F0048	42_2_043F0048
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_043F0001	42_2_043F0001
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FAED0	42_2_049FAED0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FE78C	42_2_049FE78C
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FE228	42_2_049FE228
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FF373	42_2_049FF373
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FE7C9	42_2_049FE7C9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A088E0	42_2_04A088E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A07AB0	42_2_04A07AB0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A0A631	42_2_04A0A631
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A0A640	42_2_04A0A640
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A0A7C5	42_2_04A0A7C5
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A07160	42_2_04A07160
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A09351	42_2_04A09351
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C5B400	42_2_04C5B400
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C5C5F9	42_2_04C5C5F9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C5EE28	42_2_04C5EE28
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C57F98	42_2_04C57F98
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C55D2C	42_2_04C55D2C
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C57F88	42_2_04C57F88
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C5B727	42_2_04C5B727
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C50040	42_2_04C50040
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C50006	42_2_04C50006
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C62BA8	42_2_04C62BA8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C67C81	42_2_04C67C81
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C67C90	42_2_04C67C90
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C648B0	42_2_04C648B0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C62B98	42_2_04C62B98
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04DF0040	42_2_04DF0040
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04DF0007	42_2_04DF0007
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_0599F378	42_2_0599F378
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_05980006	42_2_05980006
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_05980040	42_2_05980040
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_0599D240	42_2_0599D240
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055E150	48_2_0055E150
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00596230	48_2_00596230
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058E2D0	48_2_0058E2D0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DE490	48_2_005DE490
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057C597	48_2_0057C597
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058C7F0	48_2_0058C7F0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005788A0	48_2_005788A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DE910	48_2_005DE910
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00588A00	48_2_00588A00
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00574AD0	48_2_00574AD0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058CA80	48_2_0058CA80
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DEB70	48_2_005DEB70
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057EB84	48_2_0057EB84
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00592F40	48_2_00592F40
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057AF7D	48_2_0057AF7D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A70F0	48_2_005A70F0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00593160	48_2_00593160
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D5240	48_2_005D5240
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00591220	48_2_00591220
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00573330	48_2_00573330
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A9440	48_2_005A9440
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058B480	48_2_0058B480
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00599550	48_2_00599550
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A7770	48_2_005A7770
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005877E0	48_2_005877E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DF810	48_2_005DF810
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005858A0	48_2_005858A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058D910	48_2_0058D910
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B19E0	48_2_005B19E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0063BB6D	48_2_0063BB6D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00575E30	48_2_00575E30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00581ED0	48_2_00581ED0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DA03B	48_2_005DA03B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DE140	48_2_005DE140
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057E108	48_2_0057E108
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00578129	48_2_00578129
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057E229	48_2_0057E229
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056A290	48_2_0056A290
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E63D0	48_2_005E63D0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AA3E8	48_2_005AA3E8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0063646A	48_2_0063646A
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00594457	48_2_00594457
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005524F0	48_2_005524F0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005EC4F0	48_2_005EC4F0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_006384A0	48_2_006384A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D6550	48_2_005D6550
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D8610	48_2_005D8610
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E2610	48_2_005E2610
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059C620	48_2_0059C620
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00566689	48_2_00566689
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AC730	48_2_005AC730
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E68C0	48_2_005E68C0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00626970	48_2_00626970
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00622950	48_2_00622950
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059A900	48_2_0059A900
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AEAA0	48_2_005AEAA0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00582C59	48_2_00582C59
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00568C58	48_2_00568C58
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AEC08	48_2_005AEC08
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D6C00	48_2_005D6C00
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00632CE0	48_2_00632CE0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AACC9	48_2_005AACC9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E2CF0	48_2_005E2CF0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00588C97	48_2_00588C97
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AAF69	48_2_005AAF69
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B0F08	48_2_005B0F08
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D90E0	48_2_005D90E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057B0E9	48_2_0057B0E9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00625100	48_2_00625100
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005ED1A0	48_2_005ED1A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00569259	48_2_00569259
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005F1270	48_2_005F1270
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005912D8	48_2_005912D8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059F280	48_2_0059F280
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00583286	48_2_00583286
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DF360	48_2_005DF360
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0064B3B9	48_2_0064B3B9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059B568	48_2_0059B568
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D55B0	48_2_005D55B0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DF600	48_2_005DF600
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058B6C9	48_2_0058B6C9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0064F771	48_2_0064F771
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00649824	48_2_00649824
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0061F800	48_2_0061F800
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D9880	48_2_005D9880
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059B939	48_2_0059B939
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005F59E1	48_2_005F59E1
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00587A47	48_2_00587A47
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00565A10	48_2_00565A10
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005ADA99	48_2_005ADA99
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0061DB2C	48_2_0061DB2C
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00607B30	48_2_00607B30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D5B20	48_2_005D5B20
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00573B28	48_2_00573B28
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A9BD9	48_2_005A9BD9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0060DC70	48_2_0060DC70
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AFC77	48_2_005AFC77
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DBD50	48_2_005DBD50
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A9D39	48_2_005A9D39
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00567DC0	48_2_00567DC0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E1E30	48_2_005E1E30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0063BEAF	48_2_0063BEAF
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D3F80	48_2_005D3F80
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00611F90	48_2_00611F90

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\color-support\bin.js A797F6FEA8A46F7ADF24FB22DB2C880E8202587094BEA0F83029C81C66FB7048

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: String function: 0062FED0 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: String function: 005BE530 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: String function: 005E2450 appears 102 times
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: String function: 013BFF5F appears 136 times
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: String function: 013BFD30 appears 56 times
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: String function: 013E6094 appears 60 times
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: String function: 013E97DA appears 32 times

PE / OLE file has an invalid certificate

Source: InjectToolInstaller.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: InjectToolInstaller.exe, 00000000.00000000.335517606.0000000001415000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7zS.sfx.exe< vs InjectToolInstaller.exe
Source: InjectToolInstaller.exe, 00000000.00000003.382514881.0000000000464000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs InjectToolInstaller.exe
Source: InjectToolInstaller.exe	Binary or memory string: OriginalFilename7zS.sfx.exe< vs InjectToolInstaller.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netmsg.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netmsg.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: devrtl.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wbemcomn2.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: credssp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll

Uses 32bit PE files

Source: InjectToolInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@145/1085@5/5

Source: C:\Users\user\AppData\Local\Temp\data.exe

Code function: 24_2_000000013F298AD4 GetLastError,FormatMessageW,

24_2_000000013F298AD4

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005E4110 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,

48_2_005E4110

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_0055C430 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

48_2_0055C430

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_00596230 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA,

48_2_00596230

Source: C:\Users\user\AppData\Local\Temp\data.exe

Code function: 24_2_000000013F2B0C0C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

24_2_000000013F2B0C0C

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\signons.sqlite

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

File created: C:\Users\user\AppData\Local\Temp\7zS48C4B291

Jump to behavior

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" "

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs"

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d.................0.......................6.................1.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d.........[..s............................6.................1.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d.........[..s............................6.................1.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.H.E.A.T. .E.N.G.I.N.E. .S.C.R.I.P.T. .R.U.N.N.E.R.............M.......................8....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............V/..............................................\....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............e/..............................................b....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............t/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/......................T............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/..............................................b....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/..............................................b....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/......................B.......................V....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................0...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................0......................#............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............(0......................k............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............70...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............F0...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............U0......................U............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............d0..............................................z....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............s0...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................0......................N............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................@4..............0..............._B.s....P$.s.... .........8.............................R.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....L7..............6..s............................T.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....:..............6..s............................V.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....>..............6..s............................X.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....:E..............6..s............................Z.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....FG..............6..s............................\.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....H..............6..s............................^.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....'J..............6..s............................`.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....K..............6..s............................b.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....M..............6..s............................d.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....cN..............6..s............................f.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....O..............6..s............................h.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....EQ..............6..s............................j.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....R..............6..s............................l.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....S..............6..s............................n.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....T..............6..s............................p.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....V..............6..s............................r.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....W..............6..s............................t.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....yY..............6..s............................v.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....Z..............6..s............................x.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....[..............6..s............................z.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....z]..............6..s............................\|.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....`..............6..s............................~.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....3b..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....c..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....d..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....f..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....h..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....k..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....l..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....n..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s...."q..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....~r..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....qt..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....u..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....x..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s...._z..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....}..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....5...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....j...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s..../...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....8...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....T...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....b...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....6...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....]...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....p...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s...."...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....a...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....6...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....a...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....l...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....]...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....V...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....h...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....R...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ..................d.....................(.P.....t.......................V5......................0...d.o.........h...............................
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ..................d.....................(.P.....t.......................\5......................0...d.o.................\.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......................$........:.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.$........;.........................s..............(..... .......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......);.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......;;.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......G;.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....Y;.........................s..............(.....$.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......e;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......w;.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s..............(.....2.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s....................l.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................$........;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n................................@.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........A.........................s.................... .......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............................. A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................,A.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....>A.........................s....................$.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................JA.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................]A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................iA.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s....................l.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P..............................A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s............................h...............

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ;!@InstallEnd@!	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: Title	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ExtractPathText	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: Directory	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: InstallPath	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: RunProgram	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ExecuteFile	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: setup.exe	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%T\	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%T	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ;!@InstallEnd@!	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: Title	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ExtractPathText	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: Directory	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: InstallPath	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: RunProgram	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ExecuteFile	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: setup.exe	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%T\	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%T	0_2_013BEC4C

Source: InjectToolInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: insta313tg.exe, insta313tg.exe, 00000030.00000002.604503591.000000000065F000.00000002.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: insta313tg.exe, 0000002A.00000002.470797690.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604503591.000000000065F000.00000002.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: insta313tg.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

File read: C:\Users\user\Desktop\InjectToolInstaller.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\InjectToolInstaller.exe "C:\Users\user\Desktop\InjectToolInstaller.exe"
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\installer.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\1.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "C:\Users\user\AppData\Local\Temp\1.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\installer.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\1.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "C:\Users\user\AppData\Local\Temp\1.bat"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: InjectToolInstaller.exe

Static file information: File size 57739400 > 1048576

Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: InjectToolInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: InjectToolInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: insta313tg.exe, 0000002A.00000002.471726274.0000000004CB0000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: insta313tg.exe, 0000002A.00000002.471726274.0000000004CB0000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\git-sdk-64\usr\src\MSYS2-packages\p7zip\src\p7zip_16.02.bup\CPP\7zip\Bundles\SFXSetup\ReleaseD\7zSD.pdb source: InjectToolInstaller.exe
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: data.exe, 00000018.00000002.449019686.000000013F2CC000.00000002.00000001.01000000.00000006.sdmp, data.exe, 00000018.00000000.406984919.000000013F2CC000.00000002.00000001.01000000.00000006.sdmp, data.dat.2.dr
Source:	Binary string: protobuf-net.pdb source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp

Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 42.2.insta313tg.exe.3843ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.insta313tg.exe.57d0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.470797690.0000000003842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.472107089.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: insta313tg.exe PID: 2604, type: MEMORYSTR

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_0058C7F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

48_2_0058C7F0

File is packed with WinRar

Source: C:\Users\user\AppData\Local\Temp\data.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6427428

PE file contains sections with non-standard names

Source: data.dat.0.dr	Static PE information: section name: .didat
Source: data.dat.0.dr	Static PE information: section name: _RDATA
Source: data.dat.2.dr	Static PE information: section name: .didat
Source: data.dat.2.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013BFD76 push ecx; ret	0_2_013BFD89
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013BFF28 push ecx; ret	0_2_013BFF3B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_043F2BC3 push eax; iretd	42_2_043F2BCD
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049F8416 push dword ptr [ebx+esi-75h]; iretd	42_2_049F841D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049F8F24 push es; retf	42_2_049F8F27
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A01023 push ecx; ret	42_2_04A01024
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A0121E pushfd ; ret	42_2_04A0121F
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C600D4 push esp; iretd	42_2_04C600D9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04DF3E7A push ebx; ret	42_2_04DF3E81
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04DF3277 push esi; iretd	42_2_04DF327E
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0062FA97 push ecx; ret	48_2_0062FAAA

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\data.exe	File created: C:\Users\user\AppData\Local\Temp\21.mp3	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\data.dat	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\data.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\7zS48C4B291\data.dat	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Temp\data.exe

File created: C:\Users\user\AppData\Local\Temp\21.mp3

Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005D55B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

48_2_005D55B0

Stores large binary data to the registry

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Stalling execution: Execution stalls by calling Sleep

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: insta313tg.exe, 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER9SBIEDLL.DLL:SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE;VERSION<SERIALNUMBER>VMWARE\|VIRTUAL\|A M I\|XEN?SELECT * FROM WIN32_COMPUTERSYSTEM@MANUFACTURERAMODELBMICROSOFT\|VMWARE\|VIRTUALCJOHNDANNAEXXXXXXXX

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 2380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 21E0000 memory reserve \| memory write watch

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

48_2_005B3A40

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5104
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1688
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3694
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Window / User API: threadDelayed 370

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\data.exe	Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3644	Thread sleep count: 5104 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3628	Thread sleep count: 1688 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3688	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3692	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3664	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3764	Thread sleep count: 1570 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3764	Thread sleep count: 3694 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3812	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3820	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3560	Thread sleep count: 370 > 30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3620	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3620	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3572	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3616	Thread sleep count: 51 > 30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 1384	Thread sleep time: -60000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005B7D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 005B7D50h country: Upper Sorbian (hsb)

48_2_005B7D40

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005E4670 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 005E46C1h

48_2_005E4670

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013AABAF FindFirstFileA,FindFirstFileW,	0_2_013AABAF
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E783F FindFirstFileExA,	0_2_013E783F
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7AF7 FindFirstFileExW,FindClose,FindNextFileW,	0_2_013E7AF7
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7CAD FindFirstFileExA,	0_2_013E7CAD
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7CD8 FindFirstFileExW,	0_2_013E7CD8
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29DDB0 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	24_2_000000013F29DDB0
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C4150 FindFirstFileExA,	24_2_000000013F2C4150
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B3000 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,swprintf,SetDlgItemTextW,FindClose,swprintf,SetDlgItemTextW,SendDlgItemMessageW,swprintf,SetDlgItemTextW,swprintf,SetDlgItemTextW,	24_2_000000013F2B3000
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055E150 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock,	48_2_0055E150
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock,	48_2_0058E2D0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock,	48_2_0055A750
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00570D83 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	48_2_00570D83
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0062D997 FindClose,FindFirstFileExW,GetLastError,	48_2_0062D997
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0064CD90 FindFirstFileExW,	48_2_0064CD90

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013AAEC5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

0_2_013AAEC5

Source: C:\Users\user\AppData\Local\Temp\data.exe

Code function: 24_2_000000013F2B5F78 VirtualQuery,GetSystemInfo,

24_2_000000013F2B5F78

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\build	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\build\lib	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules\emoji-regex	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules\ansi-regex	Jump to behavior

Source: InjectToolInstaller.exe	Binary or memory string: HGFs"
Source: insta313tg.exe, 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer9SbieDll.dll:select * from Win32_BIOS8Unexpected WMI query failure;version<SerialNumber>VMware\|VIRTUAL\|A M I\|Xen?select * from Win32_ComputerSystem@manufacturerAmodelBMicrosoft\|VMWare\|VirtualCjohnDannaExxxxxxxx
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: crosoft\|VMWare\|Virtual
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: p 1:en-US:VMware\|VIRTUAL\|A M I\|Xen
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: p 1:en-US:Microsoft\|VMWare\|Virtual

Source: C:\Users\user\AppData\Local\Temp\data.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 42_2_04A041A8 CheckRemoteDebuggerPresent,

42_2_04A041A8

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013C0C8C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_013C0C8C

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005B4577 CreateThread,CloseHandle,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetCurrentDirectoryA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,shutdown,closesocket,WSACleanup,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,Sleep,GetModuleHandleA,GetProcAddress,GetCurrentProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,FreeLibrary,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,CloseHandle,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,

48_2_005B4577

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_0058C7F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

48_2_0058C7F0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013CF82F mov eax, dword ptr fs:[00000030h]	0_2_013CF82F
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013CF8BD mov eax, dword ptr fs:[00000030h]	0_2_013CF8BD
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov ecx, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058D910 mov eax, dword ptr fs:[00000030h]	48_2_0058D910
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3A40 mov eax, dword ptr fs:[00000030h]	48_2_005B3A40
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3A40 mov eax, dword ptr fs:[00000030h]	48_2_005B3A40
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B mov eax, dword ptr fs:[00000030h]	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B mov eax, dword ptr fs:[00000030h]	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B mov eax, dword ptr fs:[00000030h]	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B mov eax, dword ptr fs:[00000030h]	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00570010 mov eax, dword ptr fs:[00000030h]	48_2_00570010
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00564280 mov eax, dword ptr fs:[00000030h]	48_2_00564280
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4638 mov eax, dword ptr fs:[00000030h]	48_2_005B4638
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00564DC9 mov eax, dword ptr fs:[00000030h]	48_2_00564DC9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4EC8 mov eax, dword ptr fs:[00000030h]	48_2_005B4EC8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00565498 mov eax, dword ptr fs:[00000030h]	48_2_00565498
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005657B8 mov eax, dword ptr fs:[00000030h]	48_2_005657B8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B57A3 mov eax, dword ptr fs:[00000030h]	48_2_005B57A3
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B59E5 mov eax, dword ptr fs:[00000030h]	48_2_005B59E5
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00565A10 mov ecx, dword ptr fs:[00000030h]	48_2_00565A10

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013ED3E1 GetProcessHeap,

0_2_013ED3E1

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C0E21 SetUnhandledExceptionFilter,	0_2_013C0E21
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C00D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_013C00D5
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C0C8C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_013C0C8C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E4F8A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_013E4F8A
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B6FF0 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	24_2_000000013F2B6FF0
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B756C SetUnhandledExceptionFilter,	24_2_000000013F2B756C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B7388 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000000013F2B7388
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2BBB94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000000013F2BBB94
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B6894 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_000000013F2B6894
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0063006D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	48_2_0063006D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_006345A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	48_2_006345A4
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0062FCC4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	48_2_0062FCC4

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_00569F50 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

48_2_00569F50

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Memory written: C:\Users\user\AppData\Local\Temp\insta313tg.exe base: 550000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\installer.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\1.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "C:\Users\user\AppData\Local\Temp\1.bat"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013C0EDF cpuid

0_2_013C0EDF

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,	0_2_013E65D4
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: IsValidCodePage,GetLocaleInfoW,	0_2_013EC7DC
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013ECB58
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_013ECBE5
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013ECA54
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013ECABD
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_013ECF5E
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,	0_2_013ECE35
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_013ED132
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,	0_2_013ED065
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013E5B84
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013E5CA0
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013E5CEC
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013E5CE4
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	24_2_000000013F2B18DC
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	48_2_0055C430
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: EnumSystemLocalesW,	48_2_0065004D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	48_2_006500D8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,	48_2_0065032B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	48_2_00650454
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,	48_2_0065055A
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	48_2_00650630
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: EnumSystemLocalesW,	48_2_00646F4A
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,	48_2_006474CE
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoEx,FormatMessageA,	48_2_0062D793
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	48_2_0064FCBB
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,	48_2_0064FEC0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: EnumSystemLocalesW,	48_2_0064FF67
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: EnumSystemLocalesW,	48_2_0064FFB2

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\insta313tg.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013E663E GetSystemTimeAsFileTime,

0_2_013E663E

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

48_2_00596230

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

48_2_0055C430

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013BEC4C __EH_prolog3_GS,GetVersionExA,GetCommandLineW,MessageBoxW,MessageBoxW,MessageBoxW,MessageBoxW,ShellExecuteExA,CreateProcessA,CloseHandle,WaitForSingleObject,CloseHandle,

0_2_013BEC4C

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 42.2.insta313tg.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.insta313tg.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.471803561.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\logins.json
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\signons.sqlite
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Windows\SysWOW64\cmd.exe	Directory queried: number of queries: 1617
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Directory queried: number of queries: 1043

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 42.2.insta313tg.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.insta313tg.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.471803561.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
116.203.183.140	unknown	Germany	24940	HETZNER-ASDE	true
104.26.4.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false
5.161.74.235	wprogs.top	Germany	24940	HETZNER-ASDE	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
wprogs.top	5.161.74.235	true
ipinfo.io	34.117.186.192	true
db-ip.com	104.26.4.15	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://db-ip.com/demo/home.php?s=102.165.48.43	false		high

AV Detection

Antivirus detection for URL or domain

Source: https://wprogs.top/wefrgdf/bndwaf.exe	Avira URL Cloud: Label: malware
Source: https://wprogs.top:80/wefrgdf/bndwaf.exe	Avira URL Cloud: Label: malware
Source: https://wprogs.top/wefrgdf/bndwaf.exe#	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\21.mp3

Avira: detection malicious, Label: HEUR/AGEN.1332199

Multi AV Scanner detection for domain / URL

Source: wprogs.top

Virustotal: Detection: 20%

Perma Link

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A37E8 GetProcAddress,GetProcAddress,CryptProtectMemory,CryptUnprotectMemory,GetCurrentProcessId,		24_2_000000013F2A37E8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00570420 RegQueryValueExA,RegCloseKey,CryptUnprotectData,CryptUnprotectData,LocalFree,		48_2_00570420

Uses 32bit PE files

Source: InjectToolInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: InjectToolInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: insta313tg.exe, 0000002A.00000002.471726274.0000000004CB0000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: insta313tg.exe, 0000002A.00000002.471726274.0000000004CB0000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\git-sdk-64\usr\src\MSYS2-packages\p7zip\src\p7zip_16.02.bup\CPP\7zip\Bundles\SFXSetup\ReleaseD\7zSD.pdb source: InjectToolInstaller.exe
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: data.exe, 00000018.00000002.449019686.000000013F2CC000.00000002.00000001.01000000.00000006.sdmp, data.exe, 00000018.00000000.406984919.000000013F2CC000.00000002.00000001.01000000.00000006.sdmp, data.dat.2.dr
Source:	Binary string: protobuf-net.pdb source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Windows\SysWOW64\cmd.exe	Directory queried: number of queries: 1617
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Directory queried: number of queries: 1043

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013AABAF FindFirstFileA,FindFirstFileW,	0_2_013AABAF
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E783F FindFirstFileExA,	0_2_013E783F
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7AF7 FindFirstFileExW,FindClose,FindNextFileW,	0_2_013E7AF7
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7CAD FindFirstFileExA,	0_2_013E7CAD
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7CD8 FindFirstFileExW,	0_2_013E7CD8
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29DDB0 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	24_2_000000013F29DDB0
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C4150 FindFirstFileExA,	24_2_000000013F2C4150
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B3000 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,swprintf,SetDlgItemTextW,FindClose,swprintf,SetDlgItemTextW,SendDlgItemMessageW,swprintf,SetDlgItemTextW,swprintf,SetDlgItemTextW,	24_2_000000013F2B3000
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055E150 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock,	48_2_0055E150
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock,	48_2_0058E2D0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock,	48_2_0055A750
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00570D83 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	48_2_00570D83
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0062D997 FindClose,FindFirstFileExW,GetLastError,	48_2_0062D997
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0064CD90 FindFirstFileExW,	48_2_0064CD90

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013AAEC5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

0_2_013AAEC5

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\build	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\build\lib	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules\emoji-regex	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules\ansi-regex	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 049FDED9h	42_2_049FDE78
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	42_2_04A041A8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 04A0A805h	42_2_04A0A631
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 04A0A805h	42_2_04A0A640
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 04A0A805h	42_2_04A0A7C5
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	42_2_04A041A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 04A0A805h	42_2_04A0A9B8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	42_2_04DFD950

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.22:49167 -> 116.203.183.140:54151
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 116.203.183.140:54151 -> 192.168.2.22:49167

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 116.203.183.140:54151

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 104.26.4.15 104.26.4.15

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

May check the online IP address of the machine

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

48_2_005D5240

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: package.json44.0.dr, package.json69.0.dr, package.json14.0.dr, package.json97.0.dr, package.json110.0.dr, package.json38.0.dr, package.json94.0.dr, package.json2.0.dr	String found in binary or memory: http://blog.izs.me/)
Source: 21.mp3.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 21.mp3.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 21.mp3.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 21.mp3.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: diff.js0.0.dr, dmp.js.0.dr	String found in binary or memory: http://code.google.com/p/google-diff-match-patch/wiki/API
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: 21.mp3.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 21.mp3.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 21.mp3.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 21.mp3.24.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 21.mp3.24.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 21.mp3.24.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 21.mp3.24.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sbom-cyclonedx.js.0.dr	String found in binary or memory: http://cyclonedx.org/schema/bom-1.5.schema.json
Source: conversions.js.0.dr	String found in binary or memory: http://dev.w3.org/csswg/css-color/#hwb-to-rgb
Source: package.json10.0.dr	String found in binary or memory: http://flipjs.io/)
Source: package.json137.0.dr	String found in binary or memory: http://github.com/DABH/colors.js.git
Source: imurmurhash.min.js.0.dr	String found in binary or memory: http://github.com/garycourt/murmurhash-js
Source: imurmurhash.min.js.0.dr	String found in binary or memory: http://github.com/homebrewing/brauhaus-diff
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: http://github.com/kpdecker/jsdiff/issues
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: http://github.com/kpdecker/jsdiff/issues).
Source: index.mjs0.0.dr, index.cjs0.0.dr, index.mjs.0.dr	String found in binary or memory: http://jsonpatch.com
Source: route.js.0.dr	String found in binary or memory: http://jsperf.com/1-vs-infinity
Source: package.json147.0.dr	String found in binary or memory: http://n8.io/
Source: package.json145.0.dr	String found in binary or memory: http://n8.io/)
Source: npm-audit.md.0.dr	String found in binary or memory: http://npm.im/
Source: npm-init.md.0.dr	String found in binary or memory: http://npm.im/init-package-json)
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: 21.mp3.24.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 21.mp3.24.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 21.mp3.24.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 21.mp3.24.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: package.json42.0.dr	String found in binary or memory: http://shannonmoeller.com)
Source: imurmurhash.min.js.0.dr	String found in binary or memory: http://sites.google.com/site/murmurhash/
Source: browser.js2.0.dr	String found in binary or memory: http://stackoverflow.com/a/16459606/376773
Source: browser.js2.0.dr	String found in binary or memory: http://stackoverflow.com/a/398120/376773
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html)
Source: LICENSE65.0.dr	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/ucs/wcwidth.c).
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: 21.mp3.24.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: escape.js1.0.dr	String found in binary or memory: http://www.robvanderwoude.com/escapechars.php
Source: insta313tg.exe, 0000002A.00000002.470797690.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604503591.000000000065F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: npm-install.md.0.dr	String found in binary or memory: https://bitbucket.org/bitbucketname/bitbucketrepo
Source: npm-start.md.0.dr	String found in binary or memory: https://blog.npmjs.org/post/98131109725/npm-2-0-0)
Source: LICENSE.md11.0.dr	String found in binary or memory: https://blueoakcouncil.org/license/1.0.0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43=OW
Source: browser.js2.0.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Styling_messages
Source: npm-team.md.0.dr	String found in binary or memory: https://docs.npmjs.com/about-developers-team
Source: init.js.0.dr	String found in binary or memory: https://docs.npmjs.com/cli/commands/npx
Source: npm.md.0.dr	String found in binary or memory: https://docs.npmjs.com/policies/terms.
Source: npm-unpublish.md.0.dr	String found in binary or memory: https://docs.npmjs.com/policies/unpublish
Source: package.json33.0.dr	String found in binary or memory: https://feross.org
Source: package.json33.0.dr	String found in binary or memory: https://feross.org/support
Source: npm-install.md.0.dr	String found in binary or memory: https://gist.github.com/gistID
Source: package.json137.0.dr	String found in binary or memory: https://github.com/DABH
Source: package.json137.0.dr	String found in binary or memory: https://github.com/DABH/colors.js
Source: package.json137.0.dr	String found in binary or memory: https://github.com/DABH/colors.js/issues
Source: enoent.js.0.dr	String found in binary or memory: https://github.com/IndigoUnited/node-cross-spawn/issues/16
Source: utils.js.0.dr	String found in binary or memory: https://github.com/Marak/colors.js/blob/master/lib/styles.js
Source: package.json147.0.dr, package.json145.0.dr	String found in binary or memory: https://github.com/TooTallNate/proxy-agents.git
Source: package.json115.0.dr, package.json138.0.dr	String found in binary or memory: https://github.com/chalk/ansi-regex?sponsor=1
Source: npm.js.0.dr	String found in binary or memory: https://github.com/chalk/chalk/pull/600
Source: package.json37.0.dr	String found in binary or memory: https://github.com/chalk/chalk?sponsor=1
Source: package.json128.0.dr, package.json130.0.dr	String found in binary or memory: https://github.com/chalk/wrap-ansi?sponsor=1
Source: browser.js2.0.dr	String found in binary or memory: https://github.com/facebook/react-native/pull/1632
Source: package.json33.0.dr	String found in binary or memory: https://github.com/feross/buffer
Source: package.json33.0.dr	String found in binary or memory: https://github.com/feross/buffer/issues
Source: completion.fish.0.dr	String found in binary or memory: https://github.com/fish-shell/fish-shell/blob/HEAD/share/completions/npm.fish
Source: npm.md.0.dr	String found in binary or memory: https://github.com/git-guides/install-git)
Source: npm-install.md.0.dr	String found in binary or memory: https://github.com/githubname/githubrepo
Source: process-exec-sync.js.0.dr	String found in binary or memory: https://github.com/gvarsanyi/sync-exec/blob/master/js/sync-exec.js
Source: npm-install.md.0.dr	String found in binary or memory: https://github.com/indexzero/forever/tarball/v0.5.6
Source: package.json97.0.dr	String found in binary or memory: https://github.com/isaacs/color-support.git
Source: package.json105.0.dr	String found in binary or memory: https://github.com/isaacs/common-ancestor-path
Source: package.json2.0.dr	String found in binary or memory: https://github.com/isaacs/inflight
Source: package.json2.0.dr	String found in binary or memory: https://github.com/isaacs/inflight/issues
Source: package.json14.0.dr	String found in binary or memory: https://github.com/isaacs/isexe#readme
Source: package.json14.0.dr	String found in binary or memory: https://github.com/isaacs/isexe.git
Source: package.json14.0.dr	String found in binary or memory: https://github.com/isaacs/isexe/issues
Source: package.json20.0.dr	String found in binary or memory: https://github.com/isaacs/jackspeak.git
Source: package.json25.0.dr	String found in binary or memory: https://github.com/isaacs/json-stringify-nice
Source: package.json100.0.dr	String found in binary or memory: https://github.com/isaacs/minipass-sized.git
Source: package.json110.0.dr, package.json94.0.dr	String found in binary or memory: https://github.com/isaacs/minipass.git
Source: package.json116.0.dr	String found in binary or memory: https://github.com/isaacs/node-mkdirp.git
Source: package.json46.0.dr	String found in binary or memory: https://github.com/isaacs/node-tar.git
Source: package.json143.0.dr	String found in binary or memory: https://github.com/isaacs/string-locale-compare
Source: package.json92.0.dr	String found in binary or memory: https://github.com/isaacs/walk-up-path
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: https://github.com/kpdecker/jsdiff/pull/new/master
Source: utils.js.0.dr	String found in binary or memory: https://github.com/matheussampaio
Source: package.json139.0.dr	String found in binary or memory: https://github.com/mathiasbynens/emoji-regex.git
Source: package.json139.0.dr	String found in binary or memory: https://github.com/mathiasbynens/emoji-regex/issues
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: CONTRIBUTING.md.0.dr	String found in binary or memory: https://github.com/nodejs/admin/blob/master/CODE_OF_CONDUCT.md)
Source: update-gyp.py.0.dr	String found in binary or memory: https://github.com/nodejs/gyp-next/archive/
Source: npm.md.0.dr	String found in binary or memory: https://github.com/nodejs/node-gyp)
Source: npm.md.0.dr	String found in binary or memory: https://github.com/nodejs/node-gyp/wiki).
Source: index.js58.0.dr	String found in binary or memory: https://github.com/nodejs/node/blob/b3fcc245fb25539909ef1d5eaa01dbf92e168633/lib/path.js#L56
Source: index.js3.0.dr	String found in binary or memory: https://github.com/nodejs/node/issues/42785
Source: package.json148.0.dr	String found in binary or memory: https://github.com/npm/agent#readme
Source: package.json148.0.dr	String found in binary or memory: https://github.com/npm/agent.git
Source: package.json148.0.dr	String found in binary or memory: https://github.com/npm/agent/issues
Source: package.json135.0.dr, package.json136.0.dr	String found in binary or memory: https://github.com/npm/cli#readme
Source: package.json135.0.dr, package.json136.0.dr	String found in binary or memory: https://github.com/npm/cli.git
Source: npm.md.0.dr	String found in binary or memory: https://github.com/npm/cli/blob/latest/CONTRIBUTING.md)
Source: package.json135.0.dr, error-message.js.0.dr, package.json136.0.dr, exit-handler.js.0.dr, npm.md.0.dr	String found in binary or memory: https://github.com/npm/cli/issues
Source: index.js71.0.dr	String found in binary or memory: https://github.com/npm/cli/issues/969
Source: index.js71.0.dr	String found in binary or memory: https://github.com/npm/cli/issues/969#issuecomment-737496588
Source: package.json89.0.dr	String found in binary or memory: https://github.com/npm/cmd-shim.git
Source: index.js71.0.dr	String found in binary or memory: https://github.com/npm/cmd-shim/issues/10
Source: package.json149.0.dr	String found in binary or memory: https://github.com/npm/disparity-colors.git
Source: npm.md.0.dr	String found in binary or memory: https://github.com/npm/feedback
Source: package.json44.0.dr	String found in binary or memory: https://github.com/npm/fs-minipass#readme
Source: package.json44.0.dr	String found in binary or memory: https://github.com/npm/fs-minipass.git
Source: package.json44.0.dr	String found in binary or memory: https://github.com/npm/fs-minipass/issues
Source: package.json150.0.dr	String found in binary or memory: https://github.com/npm/fs.git
Source: package.json2.0.dr	String found in binary or memory: https://github.com/npm/inflight.git
Source: package.json6.0.dr	String found in binary or memory: https://github.com/npm/init-package-json.git
Source: package.json19.0.dr	String found in binary or memory: https://github.com/npm/json-parse-even-better-errors.git
Source: package.json88.0.dr	String found in binary or memory: https://github.com/npm/minipass-fetch.git
Source: package.json93.0.dr	String found in binary or memory: https://github.com/npm/minipass-json-stream.git
Source: package.json126.0.dr	String found in binary or memory: https://github.com/npm/mute-stream.git
Source: package.json56.0.dr	String found in binary or memory: https://github.com/npm/npm-install-checks.git
Source: package.json61.0.dr	String found in binary or memory: https://github.com/npm/npm-package-arg
Source: package.json61.0.dr	String found in binary or memory: https://github.com/npm/npm-package-arg.git
Source: package.json61.0.dr	String found in binary or memory: https://github.com/npm/npm-package-arg/issues
Source: npm-dist-tag.md.0.dr	String found in binary or memory: https://github.com/npm/npm/issues/6082
Source: package.json67.0.dr	String found in binary or memory: https://github.com/npm/npmlog.git
Source: npm.md.0.dr	String found in binary or memory: https://github.com/npm/rfcs
Source: update.js.0.dr	String found in binary or memory: https://github.com/npm/rfcs/blob/latest/implemented/0019-remove-update-depth-option.md
Source: package.json50.0.dr	String found in binary or memory: https://github.com/npm/treeverse.git
Source: package.json62.0.dr	String found in binary or memory: https://github.com/npm/validate-npm-package-name
Source: package.json62.0.dr	String found in binary or memory: https://github.com/npm/validate-npm-package-name.git
Source: package.json62.0.dr	String found in binary or memory: https://github.com/npm/validate-npm-package-name/issues
Source: package.json134.0.dr	String found in binary or memory: https://github.com/npm/write-file-atomic
Source: package.json134.0.dr	String found in binary or memory: https://github.com/npm/write-file-atomic.git
Source: package.json134.0.dr	String found in binary or memory: https://github.com/npm/write-file-atomic/issues
Source: package.json42.0.dr	String found in binary or memory: https://github.com/shannonmoeller/cli-columns#readme
Source: index.js28.0.dr	String found in binary or memory: https://github.com/sindresorhus/has-flag/blob/main/index.js
Source: package.json33.0.dr	String found in binary or memory: https://github.com/sponsors/feross
Source: package.json20.0.dr, package.json25.0.dr	String found in binary or memory: https://github.com/sponsors/isaacs
Source: package.json39.0.dr	String found in binary or memory: https://github.com/sponsors/sibiraj-s
Source: package.json70.0.dr, package.json140.0.dr	String found in binary or memory: https://github.com/sponsors/sindresorhus
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: https://github.com/walmartlabs/generator-release
Source: package.json39.0.dr	String found in binary or memory: https://github.com/watson/ci-info
Source: package.json39.0.dr	String found in binary or memory: https://github.com/watson/ci-info.git
Source: package.json39.0.dr	String found in binary or memory: https://github.com/watson/ci-info/issues
Source: package.json15.0.dr	String found in binary or memory: https://github.com/watson/is-lambda
Source: package.json15.0.dr	String found in binary or memory: https://github.com/watson/is-lambda.git
Source: package.json15.0.dr	String found in binary or memory: https://github.com/watson/is-lambda/issues
Source: package.json49.0.dr	String found in binary or memory: https://github.com/wildlyinaccurate/relative-date.git
Source: index.js67.0.dr	String found in binary or memory: https://github.com/yetingli
Source: npm-install.md.0.dr	String found in binary or memory: https://gitlab.com/gitlabname/gitlabrepo
Source: index.js130.0.dr	String found in binary or memory: https://hackerone.com/reports/541502
Source: insta313tg.exe, insta313tg.exe, 00000030.00000002.604627485.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: insta313tg.exe, 0000002A.00000002.470797690.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604503591.000000000065F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/m3m1
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43=OW
Source: package.json105.0.dr, package.json25.0.dr, package.json92.0.dr, package.json143.0.dr, package.json93.0.dr, package.json100.0.dr	String found in binary or memory: https://izs.me)
Source: route.js.0.dr	String found in binary or memory: https://jsperf.com/object-keys-vs-for-in-with-closure/3
Source: package.json63.0.dr	String found in binary or memory: https://kemitchell.com)
Source: LICENSE-MIT.txt1.0.dr, LICENSE-MIT.txt0.0.dr, package.json139.0.dr	String found in binary or memory: https://mathiasbynens.be/
Source: cssesc.js.0.dr	String found in binary or memory: https://mathiasbynens.be/notes/css-escapes#css
Source: cssesc.js.0.dr	String found in binary or memory: https://mths.be/cssesc
Source: index.js107.0.dr, text.js.0.dr, text.js0.0.dr, RGI_Emoji.js1.0.dr	String found in binary or memory: https://mths.be/emoji
Source: package.json139.0.dr	String found in binary or memory: https://mths.be/emoji-regex
Source: validate-engines.js.0.dr	String found in binary or memory: https://nodejs.org/.
Source: polyfill.js.0.dr	String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: options.js2.0.dr	String found in binary or memory: https://nodejs.org/api/http.html#new-agentoptions
Source: doctor.js.0.dr	String found in binary or memory: https://nodejs.org/dist/index.json
Source: npm-init.md.0.dr	String found in binary or memory: https://npm.im/create-esm):
Source: npm-init.md.0.dr	String found in binary or memory: https://npm.im/create-react-app)
Source: npm-init.md.0.dr	String found in binary or memory: https://npm.im/create-react-app):
Source: npm-access.md.0.dr	String found in binary or memory: https://npm.im/libnpmaccess)
Source: npm-search.md.0.dr	String found in binary or memory: https://npm.im/npm-registry-fetch
Source: escape.js1.0.dr	String found in binary or memory: https://qntm.org/cmd
Source: npm.md.0.dr	String found in binary or memory: https://registry.npmjs.org
Source: npm-audit.md.0.dr	String found in binary or memory: https://registry.npmjs.org/-/npm/v1/keys
Source: npm-audit.md.0.dr	String found in binary or memory: https://registry.npmjs.org/light-cycle/1.4.3)
Source: package.json149.0.dr	String found in binary or memory: https://ruyadorno.com
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: package.json70.0.dr, package.json128.0.dr, package.json130.0.dr, package.json115.0.dr, package.json138.0.dr, package.json140.0.dr	String found in binary or memory: https://sindresorhus.com
Source: license3.0.dr	String found in binary or memory: https://sindresorhus.com)
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: completion.fish.0.dr	String found in binary or memory: https://stackoverflow.com/questions/16657803/creating-autocomplete-script-with-sub-commands
Source: SmzK98tFGb6qzdocFm21bMi.zip.48.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot3
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: index.js131.0.dr	String found in binary or memory: https://tools.ietf.org/html/rfc1928#section-3
Source: package.json39.0.dr, package.json15.0.dr	String found in binary or memory: https://twitter.com/wa7son)
Source: package.json49.0.dr	String found in binary or memory: https://wildlyinaccurate.com/)
Source: insta313tg.exe, 00000030.00000002.604920729.000000000388C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top/
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top/wefrgdf/bndwaf.exe
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top/wefrgdf/bndwaf.exe#
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top/wefrgdf/rwrgtf.exe
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top:80/wefrgdf/bndwaf.exe
Source: diff.js0.0.dr	String found in binary or memory: https://www.artima.com/weblogs/viewpost.jsp?thread=164293
Source: 21.mp3.24.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: insta313tg.exe, 00000030.00000002.604873398.0000000003241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26aqs%3Dchrome..69i57j46j0l3j46j0.427j0j7%26sou
Source: insta313tg.exe, 00000030.00000002.604873398.0000000003241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf%2B5.1%26aqs%3Dchrome..69i57j0l7.3167j0j7%26
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/search?q=net
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/search?q=wmf
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/sorry/index
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
Source: insta313tg.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: error-message.js.0.dr	String found in binary or memory: https://www.npmjs.com/forgot
Source: bugs.js.0.dr	String found in binary or memory: https://www.npmjs.com/package/$
Source: npm-install.md.0.dr	String found in binary or memory: https://www.npmjs.com/package/validate-npm-package-name#naming-rules).
Source: package.json33.0.dr	String found in binary or memory: https://www.patreon.com/feross

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Contains functionality to record screenshots

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

48_2_0055AF30

System Summary

Potential malicious VBS script found (suspicious strings)

Source: C:\Windows\SysWOW64\cmd.exe

Dropped file: createobject("shell.application").shellexecute "C:\Users\user\AppData\Local\Temp\insta313tg.exe",,,"runas",1

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}\ProgID

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\net1.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\net.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\net1.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 770B0000 page execute and read and write

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Temp\data.exe

Code function: 24_2_000000013F29903C: wcscpy,CreateFileW,CloseHandle,wcscpy,wcscpy,CreateDirectoryW,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

24_2_000000013F29903C

Detected potential crypto function

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013B176C	0_2_013B176C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013BBBFC	0_2_013BBBFC
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DC1E1	0_2_013DC1E1
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A42C3	0_2_013A42C3
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C857E	0_2_013C857E
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DC43E	0_2_013DC43E
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DC6AA	0_2_013DC6AA
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DC907	0_2_013DC907
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C2971	0_2_013C2971
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013FAB22	0_2_013FAB22
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DCB64	0_2_013DCB64
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F4A20	0_2_013F4A20
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DCDD0	0_2_013DCDD0
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F4F60	0_2_013F4F60
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C2E6D	0_2_013C2E6D
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A1169	0_2_013A1169
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A1202	0_2_013A1202
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C3285	0_2_013C3285
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F359C	0_2_013F359C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F5410	0_2_013F5410
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DB4B1	0_2_013DB4B1
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C36BA	0_2_013C36BA
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DB6E0	0_2_013DB6E0
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A1939	0_2_013A1939
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DB91A	0_2_013DB91A
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F5B3F	0_2_013F5B3F
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DBB49	0_2_013DBB49
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A1A78	0_2_013A1A78
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C3AEF	0_2_013C3AEF
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DBD78	0_2_013DBD78
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DBFB2	0_2_013DBFB2
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29ADE8	24_2_000000013F29ADE8
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A2550	24_2_000000013F2A2550
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B23F0	24_2_000000013F2B23F0
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F297C4C	24_2_000000013F297C4C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2942C4	24_2_000000013F2942C4
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A5008	24_2_000000013F2A5008
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29370C	24_2_000000013F29370C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A4704	24_2_000000013F2A4704
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C3F44	24_2_000000013F2C3F44
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C6760	24_2_000000013F2C6760
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A9790	24_2_000000013F2A9790
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2BCF94	24_2_000000013F2BCF94
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C9F68	24_2_000000013F2C9F68
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2955F8	24_2_000000013F2955F8
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2AD650	24_2_000000013F2AD650
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F292E60	24_2_000000013F292E60
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2ACE2C	24_2_000000013F2ACE2C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2BCD18	24_2_000000013F2BCD18
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B353C	24_2_000000013F2B353C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A2D78	24_2_000000013F2A2D78
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B0DAC	24_2_000000013F2B0DAC
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C0CDC	24_2_000000013F2C0CDC
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A9AFC	24_2_000000013F2A9AFC
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A3394	24_2_000000013F2A3394
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A9378	24_2_000000013F2A9378
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F295A30	24_2_000000013F295A30
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C6290	24_2_000000013F2C6290
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A0120	24_2_000000013F2A0120
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2978E4	24_2_000000013F2978E4
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A39C4	24_2_000000013F2A39C4
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A71AC	24_2_000000013F2A71AC
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A9060	24_2_000000013F2A9060
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A8858	24_2_000000013F2A8858
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29903C	24_2_000000013F29903C
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_00516DF8	42_2_00516DF8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_005156B8	42_2_005156B8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_00517BA8	42_2_00517BA8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_00516DE8	42_2_00516DE8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D7014	42_2_020D7014
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D4868	42_2_020D4868
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D5C1B	42_2_020D5C1B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DA000	42_2_020DA000
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DA002	42_2_020DA002
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DB040	42_2_020DB040
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DF760	42_2_020DF760
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DF770	42_2_020DF770
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D45A0	42_2_020D45A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D45B0	42_2_020D45B0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D4859	42_2_020D4859
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_043F0048	42_2_043F0048
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_043F0001	42_2_043F0001
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FAED0	42_2_049FAED0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FE78C	42_2_049FE78C
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FE228	42_2_049FE228
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FF373	42_2_049FF373
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FE7C9	42_2_049FE7C9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A088E0	42_2_04A088E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A07AB0	42_2_04A07AB0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A0A631	42_2_04A0A631
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A0A640	42_2_04A0A640
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A0A7C5	42_2_04A0A7C5
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A07160	42_2_04A07160
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A09351	42_2_04A09351
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C5B400	42_2_04C5B400
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C5C5F9	42_2_04C5C5F9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C5EE28	42_2_04C5EE28
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C57F98	42_2_04C57F98
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C55D2C	42_2_04C55D2C
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C57F88	42_2_04C57F88
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C5B727	42_2_04C5B727
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C50040	42_2_04C50040
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C50006	42_2_04C50006
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C62BA8	42_2_04C62BA8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C67C81	42_2_04C67C81
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C67C90	42_2_04C67C90
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C648B0	42_2_04C648B0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C62B98	42_2_04C62B98
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04DF0040	42_2_04DF0040
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04DF0007	42_2_04DF0007
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_0599F378	42_2_0599F378
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_05980006	42_2_05980006
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_05980040	42_2_05980040
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_0599D240	42_2_0599D240
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055E150	48_2_0055E150
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00596230	48_2_00596230
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058E2D0	48_2_0058E2D0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DE490	48_2_005DE490
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057C597	48_2_0057C597
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058C7F0	48_2_0058C7F0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005788A0	48_2_005788A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DE910	48_2_005DE910
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00588A00	48_2_00588A00
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00574AD0	48_2_00574AD0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058CA80	48_2_0058CA80
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DEB70	48_2_005DEB70
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057EB84	48_2_0057EB84
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00592F40	48_2_00592F40
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057AF7D	48_2_0057AF7D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A70F0	48_2_005A70F0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00593160	48_2_00593160
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D5240	48_2_005D5240
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00591220	48_2_00591220
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00573330	48_2_00573330
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A9440	48_2_005A9440
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058B480	48_2_0058B480
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00599550	48_2_00599550
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A7770	48_2_005A7770
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005877E0	48_2_005877E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DF810	48_2_005DF810
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005858A0	48_2_005858A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058D910	48_2_0058D910
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B19E0	48_2_005B19E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0063BB6D	48_2_0063BB6D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00575E30	48_2_00575E30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00581ED0	48_2_00581ED0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DA03B	48_2_005DA03B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DE140	48_2_005DE140
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057E108	48_2_0057E108
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00578129	48_2_00578129
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057E229	48_2_0057E229
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056A290	48_2_0056A290
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E63D0	48_2_005E63D0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AA3E8	48_2_005AA3E8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0063646A	48_2_0063646A
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00594457	48_2_00594457
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005524F0	48_2_005524F0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005EC4F0	48_2_005EC4F0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_006384A0	48_2_006384A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D6550	48_2_005D6550
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D8610	48_2_005D8610
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E2610	48_2_005E2610
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059C620	48_2_0059C620
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00566689	48_2_00566689
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AC730	48_2_005AC730
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E68C0	48_2_005E68C0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00626970	48_2_00626970
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00622950	48_2_00622950
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059A900	48_2_0059A900
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AEAA0	48_2_005AEAA0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00582C59	48_2_00582C59
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00568C58	48_2_00568C58
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AEC08	48_2_005AEC08
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D6C00	48_2_005D6C00
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00632CE0	48_2_00632CE0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AACC9	48_2_005AACC9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E2CF0	48_2_005E2CF0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00588C97	48_2_00588C97
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AAF69	48_2_005AAF69
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B0F08	48_2_005B0F08
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D90E0	48_2_005D90E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057B0E9	48_2_0057B0E9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00625100	48_2_00625100
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005ED1A0	48_2_005ED1A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00569259	48_2_00569259
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005F1270	48_2_005F1270
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005912D8	48_2_005912D8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059F280	48_2_0059F280
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00583286	48_2_00583286
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DF360	48_2_005DF360
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0064B3B9	48_2_0064B3B9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059B568	48_2_0059B568
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D55B0	48_2_005D55B0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DF600	48_2_005DF600
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058B6C9	48_2_0058B6C9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0064F771	48_2_0064F771
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00649824	48_2_00649824
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0061F800	48_2_0061F800
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D9880	48_2_005D9880
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059B939	48_2_0059B939
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005F59E1	48_2_005F59E1
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00587A47	48_2_00587A47
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00565A10	48_2_00565A10
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005ADA99	48_2_005ADA99
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0061DB2C	48_2_0061DB2C
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00607B30	48_2_00607B30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D5B20	48_2_005D5B20
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00573B28	48_2_00573B28
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A9BD9	48_2_005A9BD9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0060DC70	48_2_0060DC70
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AFC77	48_2_005AFC77
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DBD50	48_2_005DBD50
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A9D39	48_2_005A9D39
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00567DC0	48_2_00567DC0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E1E30	48_2_005E1E30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0063BEAF	48_2_0063BEAF
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D3F80	48_2_005D3F80
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00611F90	48_2_00611F90

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\color-support\bin.js A797F6FEA8A46F7ADF24FB22DB2C880E8202587094BEA0F83029C81C66FB7048

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: String function: 0062FED0 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: String function: 005BE530 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: String function: 005E2450 appears 102 times
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: String function: 013BFF5F appears 136 times
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: String function: 013BFD30 appears 56 times
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: String function: 013E6094 appears 60 times
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: String function: 013E97DA appears 32 times

PE / OLE file has an invalid certificate

Source: InjectToolInstaller.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: InjectToolInstaller.exe, 00000000.00000000.335517606.0000000001415000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7zS.sfx.exe< vs InjectToolInstaller.exe
Source: InjectToolInstaller.exe, 00000000.00000003.382514881.0000000000464000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs InjectToolInstaller.exe
Source: InjectToolInstaller.exe	Binary or memory string: OriginalFilename7zS.sfx.exe< vs InjectToolInstaller.exe

Tries to load missing DLLs

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netmsg.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netmsg.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: devrtl.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wbemcomn2.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: credssp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll

Uses 32bit PE files

Source: InjectToolInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@145/1085@5/5

Source: C:\Users\user\AppData\Local\Temp\data.exe

Code function: 24_2_000000013F298AD4 GetLastError,FormatMessageW,

24_2_000000013F298AD4

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005E4110 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,

48_2_005E4110

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

48_2_0055C430

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

48_2_00596230

Source: C:\Users\user\AppData\Local\Temp\data.exe

Code function: 24_2_000000013F2B0C0C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

24_2_000000013F2B0C0C

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\signons.sqlite

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

File created: C:\Users\user\AppData\Local\Temp\7zS48C4B291

Jump to behavior

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" "

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs"

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d.................0.......................6.................1.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d.........[..s............................6.................1.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d.........[..s............................6.................1.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.H.E.A.T. .E.N.G.I.N.E. .S.C.R.I.P.T. .R.U.N.N.E.R.............M.......................8....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............V/..............................................\....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............e/..............................................b....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............t/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/......................T............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/..............................................b....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/..............................................b....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/......................B.......................V....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................0...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................0......................#............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............(0......................k............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............70...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............F0...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............U0......................U............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............d0..............................................z....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............s0...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................0......................N............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................@4..............0..............._B.s....P$.s.... .........8.............................R.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....L7..............6..s............................T.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....:..............6..s............................V.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....>..............6..s............................X.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....:E..............6..s............................Z.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....FG..............6..s............................\.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....H..............6..s............................^.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....'J..............6..s............................`.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....K..............6..s............................b.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....M..............6..s............................d.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....cN..............6..s............................f.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....O..............6..s............................h.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....EQ..............6..s............................j.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....R..............6..s............................l.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....S..............6..s............................n.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....T..............6..s............................p.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....V..............6..s............................r.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....W..............6..s............................t.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....yY..............6..s............................v.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....Z..............6..s............................x.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....[..............6..s............................z.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....z]..............6..s............................\|.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....`..............6..s............................~.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....3b..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....c..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....d..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....f..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....h..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....k..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....l..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....n..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s...."q..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....~r..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....qt..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....u..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....x..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s...._z..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....}..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....5...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....j...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s..../...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....8...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....T...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....b...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....6...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....]...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....p...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s...."...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....a...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....6...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....a...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....l...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....]...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....V...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....h...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....R...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ..................d.....................(.P.....t.......................V5......................0...d.o.........h...............................
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ..................d.....................(.P.....t.......................\5......................0...d.o.................\.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......................$........:.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.$........;.........................s..............(..... .......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......);.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......;;.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......G;.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....Y;.........................s..............(.....$.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......e;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......w;.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s..............(.....2.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s....................l.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................$........;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n................................@.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........A.........................s.................... .......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............................. A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................,A.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....>A.........................s....................$.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................JA.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................]A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................iA.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s....................l.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P..............................A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s............................h...............

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ;!@InstallEnd@!	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: Title	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ExtractPathText	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: Directory	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: InstallPath	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: RunProgram	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ExecuteFile	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: setup.exe	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%T\	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%T	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ;!@InstallEnd@!	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: Title	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ExtractPathText	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: Directory	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: InstallPath	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: RunProgram	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ExecuteFile	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: setup.exe	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%T\	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%T	0_2_013BEC4C

Source: InjectToolInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: insta313tg.exe, insta313tg.exe, 00000030.00000002.604503591.000000000065F000.00000002.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: insta313tg.exe, 0000002A.00000002.470797690.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604503591.000000000065F000.00000002.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: insta313tg.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

File read: C:\Users\user\Desktop\InjectToolInstaller.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\InjectToolInstaller.exe "C:\Users\user\Desktop\InjectToolInstaller.exe"
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\installer.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\1.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "C:\Users\user\AppData\Local\Temp\1.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\installer.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\1.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "C:\Users\user\AppData\Local\Temp\1.bat"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: InjectToolInstaller.exe

Static file information: File size 57739400 > 1048576

Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: InjectToolInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: InjectToolInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: insta313tg.exe, 0000002A.00000002.471726274.0000000004CB0000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: insta313tg.exe, 0000002A.00000002.471726274.0000000004CB0000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\git-sdk-64\usr\src\MSYS2-packages\p7zip\src\p7zip_16.02.bup\CPP\7zip\Bundles\SFXSetup\ReleaseD\7zSD.pdb source: InjectToolInstaller.exe
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: data.exe, 00000018.00000002.449019686.000000013F2CC000.00000002.00000001.01000000.00000006.sdmp, data.exe, 00000018.00000000.406984919.000000013F2CC000.00000002.00000001.01000000.00000006.sdmp, data.dat.2.dr
Source:	Binary string: protobuf-net.pdb source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp

Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 42.2.insta313tg.exe.3843ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.insta313tg.exe.57d0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.470797690.0000000003842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.472107089.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: insta313tg.exe PID: 2604, type: MEMORYSTR

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_0058C7F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

48_2_0058C7F0

File is packed with WinRar

Source: C:\Users\user\AppData\Local\Temp\data.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6427428

PE file contains sections with non-standard names

Source: data.dat.0.dr	Static PE information: section name: .didat
Source: data.dat.0.dr	Static PE information: section name: _RDATA
Source: data.dat.2.dr	Static PE information: section name: .didat
Source: data.dat.2.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013BFD76 push ecx; ret	0_2_013BFD89
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013BFF28 push ecx; ret	0_2_013BFF3B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_043F2BC3 push eax; iretd	42_2_043F2BCD
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049F8416 push dword ptr [ebx+esi-75h]; iretd	42_2_049F841D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049F8F24 push es; retf	42_2_049F8F27
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A01023 push ecx; ret	42_2_04A01024
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A0121E pushfd ; ret	42_2_04A0121F
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C600D4 push esp; iretd	42_2_04C600D9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04DF3E7A push ebx; ret	42_2_04DF3E81
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04DF3277 push esi; iretd	42_2_04DF327E
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0062FA97 push ecx; ret	48_2_0062FAAA

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Drops PE files

Source: C:\Users\user\AppData\Local\Temp\data.exe	File created: C:\Users\user\AppData\Local\Temp\21.mp3	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\data.dat	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\data.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\7zS48C4B291\data.dat	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\AppData\Local\Temp\data.exe

File created: C:\Users\user\AppData\Local\Temp\21.mp3

Jump to dropped file

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005D55B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

48_2_005D55B0

Stores large binary data to the registry

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Stalling execution: Execution stalls by calling Sleep

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: insta313tg.exe, 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER9SBIEDLL.DLL:SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE;VERSION<SERIALNUMBER>VMWARE\|VIRTUAL\|A M I\|XEN?SELECT * FROM WIN32_COMPUTERSYSTEM@MANUFACTURERAMODELBMICROSOFT\|VMWARE\|VIRTUALCJOHNDANNAEXXXXXXXX

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 2380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 21E0000 memory reserve \| memory write watch

Contains functionality to detect sandboxes (mouse cursor move detection)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

48_2_005B3A40

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Thread delayed: delay time: 922337203685477

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5104
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1688
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3694
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Window / User API: threadDelayed 370

Found evasive API chain (date check)

Source: C:\Users\user\AppData\Local\Temp\data.exe	Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3644	Thread sleep count: 5104 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3628	Thread sleep count: 1688 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3688	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3692	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3664	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3764	Thread sleep count: 1570 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3764	Thread sleep count: 3694 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3812	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3820	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3560	Thread sleep count: 370 > 30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3620	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3620	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3572	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3616	Thread sleep count: 51 > 30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 1384	Thread sleep time: -60000s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Last function: Thread delayed

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005B7D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 005B7D50h country: Upper Sorbian (hsb)

48_2_005B7D40

Uses the system / local time for branch decision (may execute only at specific dates)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005E4670 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 005E46C1h

48_2_005E4670

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013AABAF FindFirstFileA,FindFirstFileW,	0_2_013AABAF
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E783F FindFirstFileExA,	0_2_013E783F
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7AF7 FindFirstFileExW,FindClose,FindNextFileW,	0_2_013E7AF7
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7CAD FindFirstFileExA,	0_2_013E7CAD
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7CD8 FindFirstFileExW,	0_2_013E7CD8
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29DDB0 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	24_2_000000013F29DDB0
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C4150 FindFirstFileExA,	24_2_000000013F2C4150
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B3000 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,swprintf,SetDlgItemTextW,FindClose,swprintf,SetDlgItemTextW,SendDlgItemMessageW,swprintf,SetDlgItemTextW,swprintf,SetDlgItemTextW,	24_2_000000013F2B3000
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055E150 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock,	48_2_0055E150
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock,	48_2_0058E2D0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock,	48_2_0055A750
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00570D83 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	48_2_00570D83
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0062D997 FindClose,FindFirstFileExW,GetLastError,	48_2_0062D997
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0064CD90 FindFirstFileExW,	48_2_0064CD90

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013AAEC5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

0_2_013AAEC5

Source: C:\Users\user\AppData\Local\Temp\data.exe

Code function: 24_2_000000013F2B5F78 VirtualQuery,GetSystemInfo,

24_2_000000013F2B5F78

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\build	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\build\lib	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules\emoji-regex	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules\ansi-regex	Jump to behavior

Source: InjectToolInstaller.exe	Binary or memory string: HGFs"
Source: insta313tg.exe, 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer9SbieDll.dll:select * from Win32_BIOS8Unexpected WMI query failure;version<SerialNumber>VMware\|VIRTUAL\|A M I\|Xen?select * from Win32_ComputerSystem@manufacturerAmodelBMicrosoft\|VMWare\|VirtualCjohnDannaExxxxxxxx
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: crosoft\|VMWare\|Virtual
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: p 1:en-US:VMware\|VIRTUAL\|A M I\|Xen
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: p 1:en-US:Microsoft\|VMWare\|Virtual

Source: C:\Users\user\AppData\Local\Temp\data.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 42_2_04A041A8 CheckRemoteDebuggerPresent,

42_2_04A041A8

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013C0C8C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_013C0C8C

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

48_2_005B4577

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_0058C7F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

48_2_0058C7F0

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013CF82F mov eax, dword ptr fs:[00000030h]	0_2_013CF82F
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013CF8BD mov eax, dword ptr fs:[00000030h]	0_2_013CF8BD
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov ecx, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058D910 mov eax, dword ptr fs:[00000030h]	48_2_0058D910
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3A40 mov eax, dword ptr fs:[00000030h]	48_2_005B3A40
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3A40 mov eax, dword ptr fs:[00000030h]	48_2_005B3A40
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B mov eax, dword ptr fs:[00000030h]	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B mov eax, dword ptr fs:[00000030h]	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B mov eax, dword ptr fs:[00000030h]	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B mov eax, dword ptr fs:[00000030h]	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00570010 mov eax, dword ptr fs:[00000030h]	48_2_00570010
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00564280 mov eax, dword ptr fs:[00000030h]	48_2_00564280
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4638 mov eax, dword ptr fs:[00000030h]	48_2_005B4638
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00564DC9 mov eax, dword ptr fs:[00000030h]	48_2_00564DC9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4EC8 mov eax, dword ptr fs:[00000030h]	48_2_005B4EC8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00565498 mov eax, dword ptr fs:[00000030h]	48_2_00565498
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005657B8 mov eax, dword ptr fs:[00000030h]	48_2_005657B8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B57A3 mov eax, dword ptr fs:[00000030h]	48_2_005B57A3
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B59E5 mov eax, dword ptr fs:[00000030h]	48_2_005B59E5
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00565A10 mov ecx, dword ptr fs:[00000030h]	48_2_00565A10

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013ED3E1 GetProcessHeap,

0_2_013ED3E1

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C0E21 SetUnhandledExceptionFilter,	0_2_013C0E21
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C00D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_013C00D5
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C0C8C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_013C0C8C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E4F8A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_013E4F8A
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B6FF0 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	24_2_000000013F2B6FF0
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B756C SetUnhandledExceptionFilter,	24_2_000000013F2B756C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B7388 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000000013F2B7388
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2BBB94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000000013F2BBB94
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B6894 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_000000013F2B6894
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0063006D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	48_2_0063006D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_006345A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	48_2_006345A4
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0062FCC4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	48_2_0062FCC4

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

48_2_00569F50

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Memory written: C:\Users\user\AppData\Local\Temp\insta313tg.exe base: 550000 value starts with: 4D5A

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\installer.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\1.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "C:\Users\user\AppData\Local\Temp\1.bat"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013C0EDF cpuid

0_2_013C0EDF

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,	0_2_013E65D4
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: IsValidCodePage,GetLocaleInfoW,	0_2_013EC7DC
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013ECB58
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_013ECBE5
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013ECA54
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013ECABD
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_013ECF5E
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,	0_2_013ECE35
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_013ED132
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,	0_2_013ED065
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013E5B84
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013E5CA0
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013E5CEC
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013E5CE4
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	24_2_000000013F2B18DC
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	48_2_0055C430
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: EnumSystemLocalesW,	48_2_0065004D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	48_2_006500D8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,	48_2_0065032B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	48_2_00650454
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,	48_2_0065055A
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	48_2_00650630
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: EnumSystemLocalesW,	48_2_00646F4A
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,	48_2_006474CE
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoEx,FormatMessageA,	48_2_0062D793
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	48_2_0064FCBB
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,	48_2_0064FEC0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: EnumSystemLocalesW,	48_2_0064FF67
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: EnumSystemLocalesW,	48_2_0064FFB2

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\insta313tg.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013E663E GetSystemTimeAsFileTime,

0_2_013E663E

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

48_2_00596230

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

48_2_0055C430

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013BEC4C __EH_prolog3_GS,GetVersionExA,GetCommandLineW,MessageBoxW,MessageBoxW,MessageBoxW,MessageBoxW,ShellExecuteExA,CreateProcessA,CloseHandle,WaitForSingleObject,CloseHandle,

0_2_013BEC4C

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 42.2.insta313tg.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.insta313tg.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.471803561.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\logins.json
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\signons.sqlite
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Source: C:\Windows\SysWOW64\cmd.exe	Directory queried: number of queries: 1617
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Directory queried: number of queries: 1043

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 42.2.insta313tg.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.insta313tg.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.471803561.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Windows Analysis Report
InjectToolInstaller.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1417459
Product:	CloudBasic
Start time:	11:03:01
Start date:	29.03.2024
Sample:	InjectToolInstaller.exe
Cookbook:	default.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	86daf2965a3ac93c7119b5eccbeca489
SHA1:	ac7b034df5b8e42dfaa21ee7cf6656664a7dcf02
SHA256:	358bdb901a68378a995c91b5d500c579851b1ced09c28060e03734f8b48c0c80
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report InjectToolInstaller.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
InjectToolInstaller.exe