Edit tour

Windows Analysis Report
JiH0aUfOU6.exe

Overview

General Information

Sample name:	JiH0aUfOU6.exe
Analysis ID:	1593605
MD5:	9b979d3d3f37bcb0525fe001b19be432
SHA1:	7e7edfd66d742e4dad4bea84aceb2a4ece7c817d
SHA256:	634dd946969fd0ea89693faa9943907a7d539c722dc63a5dbd4b23a2bee6daae
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Tries to harvest and steal Bitcoin Wallet information

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara detected Keylogger Generic

Classification

Process Tree

System is w10x64native

JiH0aUfOU6.exe (PID: 2040 cmdline: "C:\Users\user\Desktop\JiH0aUfOU6.exe" MD5: 9B979D3D3F37BCB0525FE001B19BE432)

JiH0aUfOU6.tmp (PID: 484 cmdline: "C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp" /SL5="$10446,2802098,845824,C:\Users\user\Desktop\JiH0aUfOU6.exe" MD5: E587511F17C07622F2E88BDE6DC2A499)

Autoit3.exe (PID: 5648 cmdline: "C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe" C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\script.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

RegAsm.exe (PID: 7508 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

AutoIt3.exe (PID: 8300 cmdline: "C:\kchhcfb\AutoIt3.exe" C:\kchhcfb\caehccg.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

RegAsm.exe (PID: 8356 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 8364 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

AutoIt3.exe (PID: 8420 cmdline: "C:\kchhcfb\AutoIt3.exe" C:\kchhcfb\caehccg.a3x MD5: C56B5F0201A3B3DE53E561FE76912BFD)

RegAsm.exe (PID: 8448 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000002.794286967682.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.799001778724.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Autoit3.exe PID: 5648	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: RegAsm.exe PID: 7508	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 8300	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Process Memory Space: RegAsm.exe PID: 8364	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: AutoIt3.exe PID: 8420	JoeSecurity_Keylogger_Generic	Yara detected Keylogger Generic	Joe Security
Click to see the 2 entries

Sigma Signatures

System Summary

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Source: Process started

Author: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth (Nextron Systems), Christian Burkard (Nextron Systems): Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe" C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\script.a3x, ParentImage: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe, ParentProcessId: 5648, ParentProcessName: Autoit3.exe, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 7508, ProcessName: RegAsm.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\kchhcfb\AutoIt3.exe" C:\kchhcfb\caehccg.a3x, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe, ProcessId: 5648, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\caehccg

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-17T11:59:08.468563+0100	2028371	3	Unknown Traffic	192.168.11.30	49868	23.212.251.204	443	TCP
2025-01-17T12:00:11.891570+0100	2028371	3	Unknown Traffic	192.168.11.30	49872	23.212.251.204	443	TCP
2025-01-17T12:03:21.382965+0100	2028371	3	Unknown Traffic	192.168.11.30	49874	23.212.251.204	443	TCP
2025-01-17T12:05:27.804918+0100	2028371	3	Unknown Traffic	192.168.11.30	49876	23.212.251.204	443	TCP
2025-01-17T12:07:34.277690+0100	2028371	3	Unknown Traffic	192.168.11.30	49877	23.212.251.204	443	TCP

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-17T11:59:17.460667+0100	2035595	1	Domain Observed Used for C2 Detected	185.196.10.22	56001	192.168.11.30	49869	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: JiH0aUfOU6.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: JiH0aUfOU6.exe	ReversingLabs: Detection: 39%
Source: JiH0aUfOU6.exe	Virustotal: Detection: 41%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Source: JiH0aUfOU6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: JiH0aUfOU6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: Autoit3.exe, 00000005.00000002.793964374781.0000000004618000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793959685277.000000000447C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793959276341.000000000459F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794119196690.00000000047FF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126821854.0000000004878000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794119647077.00000000046DC000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198842202.000000000458F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205176005.0000000004608000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794199308020.000000000446C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Autoit3.exe, 00000005.00000002.793964374781.0000000004618000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793959685277.000000000447C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793959276341.000000000459F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794119196690.00000000047FF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126821854.0000000004878000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794119647077.00000000046DC000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198842202.000000000458F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205176005.0000000004608000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794199308020.000000000446C000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00644005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00644005
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064C2FF FindFirstFileW,FindNextFileW,FindClose,	5_2_0064C2FF
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064494A GetFileAttributesW,FindFirstFileW,FindClose,	5_2_0064494A
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064CD14 FindFirstFileW,FindClose,	5_2_0064CD14
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	5_2_0064CD9F
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_0064F5D8
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_0064F735
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064FA36 FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_0064FA36
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00643CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00643CE2
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FE08FD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	5_2_00FE08FD
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FDE22D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	5_2_00FDE22D
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FE0A05 FindFirstFileA,GetLastError,	5_2_00FE0A05
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00734005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00734005
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073C2FF FindFirstFileW,FindNextFileW,FindClose,	8_2_0073C2FF
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073494A GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0073494A
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073CD14 FindFirstFileW,FindClose,	8_2_0073CD14
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	8_2_0073CD9F
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0073F5D8
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0073F735
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073FA36 FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_0073FA36
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00733CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00733CE2
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_011F219D FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	8_2_011F219D
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_011F22A5 FindFirstFileA,GetLastError,	8_2_011F22A5
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_011EFACD GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	8_2_011EFACD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic

Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 185.196.10.22:56001 -> 192.168.11.30:49869

Source: global traffic

TCP traffic: 192.168.11.30:49869 -> 185.196.10.22:56001

Source: Joe Sandbox View

ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49872 -> 23.212.251.204:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49868 -> 23.212.251.204:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49876 -> 23.212.251.204:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49874 -> 23.212.251.204:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49877 -> 23.212.251.204:443

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_006529BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

5_2_006529BA

Source: RegAsm.exe, 00000006.00000002.799015556310.00000000056E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AE3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793964098384.000000000440A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958628330.00000000045C3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958879378.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118434840.0000000004823000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118766961.0000000004750000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126660039.000000000466A000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198102926.00000000045B3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198442002.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205032608.00000000043FA000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.3.dr, AutoIt3.exe.5.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AE3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793964098384.000000000440A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958628330.00000000045C3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958879378.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118434840.0000000004823000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118766961.0000000004750000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126660039.000000000466A000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198102926.00000000045B3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198442002.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205032608.00000000043FA000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.3.dr, AutoIt3.exe.5.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AE3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793964098384.000000000440A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958628330.00000000045C3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958879378.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118434840.0000000004823000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118766961.0000000004750000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126660039.000000000466A000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198102926.00000000045B3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198442002.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205032608.00000000043FA000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.3.dr, AutoIt3.exe.5.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: RegAsm.exe, 00000006.00000002.799015556310.00000000056E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AE3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793964098384.000000000440A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958628330.00000000045C3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958879378.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118434840.0000000004823000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118766961.0000000004750000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126660039.000000000466A000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198102926.00000000045B3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198442002.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205032608.00000000043FA000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.3.dr, AutoIt3.exe.5.dr	String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: RegAsm.exe, 00000006.00000002.799015556310.00000000056E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 00000006.00000002.799000215143.0000000000C55000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enl8
Source: RegAsm.exe, 00000006.00000002.798999302706.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: RegAsm.exe, 00000006.00000002.798999302706.0000000000BA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.ce
Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AE3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793964098384.000000000440A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958628330.00000000045C3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958879378.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118434840.0000000004823000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118766961.0000000004750000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126660039.000000000466A000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198102926.00000000045B3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198442002.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205032608.00000000043FA000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.3.dr, AutoIt3.exe.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AE3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793964098384.000000000440A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958628330.00000000045C3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958879378.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118434840.0000000004823000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118766961.0000000004750000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126660039.000000000466A000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198102926.00000000045B3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198442002.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205032608.00000000043FA000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.3.dr, AutoIt3.exe.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AE3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793964098384.000000000440A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958628330.00000000045C3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958879378.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118434840.0000000004823000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118766961.0000000004750000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126660039.000000000466A000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198102926.00000000045B3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198442002.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205032608.00000000043FA000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.3.dr, AutoIt3.exe.5.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AE3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793964098384.000000000440A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958628330.00000000045C3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958879378.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118434840.0000000004823000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118766961.0000000004750000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126660039.000000000466A000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198102926.00000000045B3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198442002.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205032608.00000000043FA000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.3.dr, AutoIt3.exe.5.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AE3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793964098384.000000000440A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958628330.00000000045C3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958879378.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118434840.0000000004823000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118766961.0000000004750000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126660039.000000000466A000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198102926.00000000045B3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198442002.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205032608.00000000043FA000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.3.dr, AutoIt3.exe.5.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AE3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958923693.00000000044E5000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793964098384.000000000440A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958628330.00000000045C3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793961065482.00000000006A9000.00000002.00000001.01000000.00000007.sdmp, AutoIt3.exe, 00000008.00000003.794118434840.0000000004823000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794121454959.0000000000799000.00000002.00000001.01000000.0000000A.sdmp, AutoIt3.exe, 00000008.00000002.794126660039.000000000466A000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118840089.0000000004745000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198102926.00000000045B3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000000.794156362171.0000000000799000.00000002.00000001.01000000.0000000A.sdmp, AutoIt3.exe, 0000000B.00000003.794198505492.00000000044D5000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205032608.00000000043FA000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.3.dr, AutoIt3.exe.5.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002C95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.794286967682.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/WebDriver.dll
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.794286967682.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/chromedriver.exe
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.794286967682.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/testdemo345/DemoThing/raw/main/msedgedriver.exe
Source: JiH0aUfOU6.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.799001778724.0000000002C95000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.794286967682.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.799001778724.0000000002C95000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.794286967682.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000006.00000002.799001778724.0000000002C95000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 0000000A.00000002.794286967682.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AE3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793964098384.000000000440A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958628330.00000000045C3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958879378.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118434840.0000000004823000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118766961.0000000004750000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126660039.000000000466A000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198102926.00000000045B3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198442002.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205032608.00000000043FA000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.3.dr, AutoIt3.exe.5.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: AutoIt3.exe.5.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AE3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793964098384.000000000440A000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958628330.00000000045C3000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793958879378.00000000044F0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118434840.0000000004823000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794118766961.0000000004750000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126660039.000000000466A000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198102926.00000000045B3000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198442002.00000000044E0000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205032608.00000000043FA000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe.3.dr, AutoIt3.exe.5.dr	String found in binary or memory: https://www.globalsign.com/repository/06
Source: JiH0aUfOU6.exe, 00000002.00000003.793909959428.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, JiH0aUfOU6.exe, 00000002.00000003.793910642068.000000007F5EB000.00000004.00001000.00020000.00000000.sdmp, JiH0aUfOU6.tmp, 00000003.00000000.793913322339.00000000009B1000.00000020.00000001.01000000.00000005.sdmp, JiH0aUfOU6.tmp.2.dr	String found in binary or memory: https://www.innosetup.com/
Source: JiH0aUfOU6.exe, 00000002.00000003.793909959428.0000000002C30000.00000004.00001000.00020000.00000000.sdmp, JiH0aUfOU6.exe, 00000002.00000003.793910642068.000000007F5EB000.00000004.00001000.00020000.00000000.sdmp, JiH0aUfOU6.tmp, 00000003.00000000.793913322339.00000000009B1000.00000020.00000001.01000000.00000005.sdmp, JiH0aUfOU6.tmp.2.dr	String found in binary or memory: https://www.remobjects.com/ps

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00654632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

5_2_00654632

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00654830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_00654830
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00744830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		8_2_00744830

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

5_2_00654632

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00640508 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

5_2_00640508

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0066D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		5_2_0066D164
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0075D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		8_2_0075D164

Source: Yara match	File source: Process Memory Space: Autoit3.exe PID: 5648, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 8300, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AutoIt3.exe PID: 8420, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00FF25F9 CreateDesktopA,CreateProcessA,CreateProcessA,CreateProcessA,CreateProcessA,WaitForSingleObject,

5_2_00FF25F9

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF5A81 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		5_2_00FF5A81
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_01207321 GetCurrentProcessId,CreateProcessA,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,WriteProcessMemory,ResumeThread,Sleep,GetTickCount,		8_2_01207321

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00644254: CreateFileW,DeviceIoControl,CloseHandle,

5_2_00644254

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00638F2E DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

5_2_00638F2E

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00645778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		5_2_00645778
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00735778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		8_2_00735778

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_005E1663	5_2_005E1663
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_005E9C80	5_2_005E9C80
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_006023F5	5_2_006023F5
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00668400	5_2_00668400
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00616502	5_2_00616502
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0061265E	5_2_0061265E
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_005EE6F0	5_2_005EE6F0
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0060282A	5_2_0060282A
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_006189BF	5_2_006189BF
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00616A74	5_2_00616A74
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00660A3A	5_2_00660A3A
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_005F0BE0	5_2_005F0BE0
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0060CD51	5_2_0060CD51
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0063EDB2	5_2_0063EDB2
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00648E44	5_2_00648E44
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00660EB7	5_2_00660EB7
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00616FE6	5_2_00616FE6
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_006033B7	5_2_006033B7
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_005FD45D	5_2_005FD45D
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0060F409	5_2_0060F409
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_005E94E0	5_2_005E94E0
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_005FF628	5_2_005FF628
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_006016B4	5_2_006016B4
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_005EF6A0	5_2_005EF6A0
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_006078C3	5_2_006078C3
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0060DBA5	5_2_0060DBA5
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00601BA8	5_2_00601BA8
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00619CE5	5_2_00619CE5
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_005FDD28	5_2_005FDD28
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00601FC0	5_2_00601FC0
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0060BFD6	5_2_0060BFD6
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF53D9	5_2_00FF53D9
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF53D2	5_2_00FF53D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC51D0	6_2_00EC51D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00ECD978	6_2_00ECD978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00ECE248	6_2_00ECE248
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC5530	6_2_00EC5530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00ECD630	6_2_00ECD630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC51BF	6_2_00EC51BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00ECB228	6_2_00ECB228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC23E8	6_2_00EC23E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC24F3	6_2_00EC24F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC24DC	6_2_00EC24DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC248A	6_2_00EC248A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC2464	6_2_00EC2464
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC4450	6_2_00EC4450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC2451	6_2_00EC2451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC2424	6_2_00EC2424
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC23E8	6_2_00EC23E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC5521	6_2_00EC5521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC1E20	6_2_00EC1E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC1E09	6_2_00EC1E09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_00EC2FA0	6_2_00EC2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05668D38	6_2_05668D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05669222	6_2_05669222
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0566DFA8	6_2_0566DFA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0566ABE8	6_2_0566ABE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_057B4720	6_2_057B4720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_057BD3F0	6_2_057BD3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_057BB595	6_2_057BB595
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_057B2CC0	6_2_057B2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_057BBEF0	6_2_057BBEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_057BD3DF	6_2_057BD3DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05848650	6_2_05848650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_058410E1	6_2_058410E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05840040	6_2_05840040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05840007	6_2_05840007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05849C20	6_2_05849C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05843938	6_2_05843938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_058769A0	6_2_058769A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0587875D	6_2_0587875D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05878766	6_2_05878766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_058762DF	6_2_058762DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05870D08	6_2_05870D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05878C74	6_2_05878C74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05876990	6_2_05876990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_0587884E	6_2_0587884E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05CD447D	6_2_05CD447D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05CD5360	6_2_05CD5360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05CDC5D2	6_2_05CDC5D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05CDC570	6_2_05CDC570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05CDC680	6_2_05CDC680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05CD50C2	6_2_05CD50C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05CD50D0	6_2_05CD50D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_05CD5354	6_2_05CD5354
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_07512228	6_2_07512228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_07517018	6_2_07517018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_075616B8	6_2_075616B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 6_2_075765E0	6_2_075765E0
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006D1663	8_2_006D1663
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006D9C80	8_2_006D9C80
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006F23F5	8_2_006F23F5
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00758400	8_2_00758400
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00706502	8_2_00706502
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0070265E	8_2_0070265E
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006DE6F0	8_2_006DE6F0
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006F282A	8_2_006F282A
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_007089BF	8_2_007089BF
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00706A74	8_2_00706A74
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00750A3A	8_2_00750A3A
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006E0BE0	8_2_006E0BE0
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006FCD51	8_2_006FCD51
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0072EDB2	8_2_0072EDB2
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00738E44	8_2_00738E44
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00750EB7	8_2_00750EB7
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00706FE6	8_2_00706FE6
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006F33B7	8_2_006F33B7
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006ED45D	8_2_006ED45D
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006FF409	8_2_006FF409
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006D94E0	8_2_006D94E0
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006EF628	8_2_006EF628
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006DF6A0	8_2_006DF6A0
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006F16B4	8_2_006F16B4
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006F78C3	8_2_006F78C3
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006F1BA8	8_2_006F1BA8
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006FDBA5	8_2_006FDBA5
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00709CE5	8_2_00709CE5
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006EDD28	8_2_006EDD28
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006F1FC0	8_2_006F1FC0
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006FBFD6	8_2_006FBFD6
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_01206C72	8_2_01206C72
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_01206C79	8_2_01206C79

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe 237D1BCA6E056DF5BB16A1216A434634109478F882D3B1D58344C801D184F95D

Source: C:\kchhcfb\AutoIt3.exe	Code function: String function: 006E1A36 appears 34 times
Source: C:\kchhcfb\AutoIt3.exe	Code function: String function: 006F8B30 appears 42 times
Source: C:\kchhcfb\AutoIt3.exe	Code function: String function: 006F0D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: String function: 00600D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: String function: 00608B30 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: String function: 005F1A36 appears 34 times

Source: JiH0aUfOU6.tmp.2.dr

Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows

Source: JiH0aUfOU6.tmp.2.dr	Static PE information: Number of sections : 11 > 10
Source: JiH0aUfOU6.exe	Static PE information: Number of sections : 11 > 10

Source: JiH0aUfOU6.exe, 00000002.00000000.793908667713.0000000000619000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs JiH0aUfOU6.exe
Source: JiH0aUfOU6.exe, 00000002.00000003.793910642068.000000007F8EA000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs JiH0aUfOU6.exe
Source: JiH0aUfOU6.exe, 00000002.00000003.793909959428.0000000002D4E000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileName vs JiH0aUfOU6.exe
Source: JiH0aUfOU6.exe	Binary or memory string: OriginalFileName vs JiH0aUfOU6.exe

Source: JiH0aUfOU6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 6.2.RegAsm.exe.3bf0c90.3.raw.unpack, sSuX93MZsYEcAG0TpT6.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegAsm.exe.3bf0c90.3.raw.unpack, sSuX93MZsYEcAG0TpT6.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegAsm.exe.73c0000.5.raw.unpack, sSuX93MZsYEcAG0TpT6.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 6.2.RegAsm.exe.73c0000.5.raw.unpack, sSuX93MZsYEcAG0TpT6.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.spyw.evad.winEXE@15/7@0/1

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_0064A6AD GetLastError,FormatMessageW,

5_2_0064A6AD

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00638DE9 AdjustTokenPrivileges,CloseHandle,	5_2_00638DE9
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00639399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	5_2_00639399
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00728DE9 AdjustTokenPrivileges,CloseHandle,	8_2_00728DE9
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00729399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	8_2_00729399

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_0064B976 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

5_2_0064B976

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00644148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

5_2_00644148

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_0064C9DA CoInitialize,CoCreateInstance,CoUninitialize,

5_2_0064C9DA

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_0064443D FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,

5_2_0064443D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\fe5d05a685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Mutant created: NULL

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe

File created: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp

Jump to behavior

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Jump to behavior

Source: JiH0aUfOU6.exe	ReversingLabs: Detection: 39%
Source: JiH0aUfOU6.exe	Virustotal: Detection: 41%

Source: JiH0aUfOU6.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe

File read: C:\Users\user\Desktop\JiH0aUfOU6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\JiH0aUfOU6.exe "C:\Users\user\Desktop\JiH0aUfOU6.exe"
Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp "C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp" /SL5="$10446,2802098,845824,C:\Users\user\Desktop\JiH0aUfOU6.exe"
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe "C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe" C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\script.a3x
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\kchhcfb\AutoIt3.exe "C:\kchhcfb\AutoIt3.exe" C:\kchhcfb\caehccg.a3x
Source: C:\kchhcfb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\kchhcfb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown	Process created: C:\kchhcfb\AutoIt3.exe "C:\kchhcfb\AutoIt3.exe" C:\kchhcfb\caehccg.a3x
Source: C:\kchhcfb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Process created: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp "C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp" /SL5="$10446,2802098,845824,C:\Users\user\Desktop\JiH0aUfOU6.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Process created: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe "C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe" C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\script.a3x	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: JiH0aUfOU6.exe

Static file information: File size 3796818 > 1048576

Source: JiH0aUfOU6.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: wntdll.pdbUGP source: Autoit3.exe, 00000005.00000002.793964374781.0000000004618000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793959685277.000000000447C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793959276341.000000000459F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794119196690.00000000047FF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126821854.0000000004878000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794119647077.00000000046DC000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198842202.000000000458F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205176005.0000000004608000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794199308020.000000000446C000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Autoit3.exe, 00000005.00000002.793964374781.0000000004618000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793959685277.000000000447C000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793959276341.000000000459F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794119196690.00000000047FF000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794126821854.0000000004878000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794119647077.00000000046DC000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794198842202.000000000458F000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000002.794205176005.0000000004608000.00000004.00001000.00020000.00000000.sdmp, AutoIt3.exe, 0000000B.00000003.794199308020.000000000446C000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 6.2.RegAsm.exe.3bf0c90.3.raw.unpack, sSuX93MZsYEcAG0TpT6.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 6.2.RegAsm.exe.73c0000.5.raw.unpack, sSuX93MZsYEcAG0TpT6.cs	.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})

.NET source code contains potential unpacker

Source: 6.2.RegAsm.exe.3bf0c90.3.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 6.2.RegAsm.exe.3bf0c90.3.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull
Source: 6.2.RegAsm.exe.73c0000.5.raw.unpack, TypeSerializer.cs	.Net Code: CreateInstance
Source: 6.2.RegAsm.exe.73c0000.5.raw.unpack, TypeSerializer.cs	.Net Code: EmitCreateIfNull

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_0065C6D9 LoadLibraryA,GetProcAddress,

5_2_0065C6D9

Source: JiH0aUfOU6.exe	Static PE information: section name: .didata
Source: JiH0aUfOU6.tmp.2.dr	Static PE information: section name: .didata

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00608B75 push ecx; ret	5_2_00608B88
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_005FCBF1 push eax; retf	5_2_005FCBF8
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FDF01D push 00FDF049h; ret	5_2_00FDF041
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF6015 push 00FF6041h; ret	5_2_00FF6039
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF6014 push 00FF6041h; ret	5_2_00FF6039
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF31D5 push 00FF3221h; ret	5_2_00FF3219
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FE6191 push 00FE61BDh; ret	5_2_00FE61B5
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FEF155 push 00FEF200h; ret	5_2_00FEF1F8
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FEF153 push 00FEF200h; ret	5_2_00FEF1F8
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FDF2E6 push 00FDF5E9h; ret	5_2_00FDF5E1
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF32D5 push 00FF3301h; ret	5_2_00FF32F9
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FDF2AD push 00FDF2D9h; ret	5_2_00FDF2D1
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF329D push 00FF32C9h; ret	5_2_00FF32C1
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF3265 push 00FF3291h; ret	5_2_00FF3289
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF322D push 00FF3259h; ret	5_2_00FF3251
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FEF205 push 00FEF295h; ret	5_2_00FEF28D
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF63CE push 00FF6455h; ret	5_2_00FF644D
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF33B5 push 00FF33E1h; ret	5_2_00FF33D9
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF53A1 push 00FF53CDh; ret	5_2_00FF53C5
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF139D push 00FF13C9h; ret	5_2_00FF13C1
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF337D push 00FF33A9h; ret	5_2_00FF33A1
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF337B push 00FF33A9h; ret	5_2_00FF33A1
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF330D push 00FF3339h; ret	5_2_00FF3331
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF14F1 push 00FF151Dh; ret	5_2_00FF1515
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF14B9 push 00FF14E5h; ret	5_2_00FF14DD
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF6461 push 00FF6487h; ret	5_2_00FF647F
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF6429 push 00FF6455h; ret	5_2_00FF644D
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF6421 push 00FF6455h; ret	5_2_00FF644D
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF2411 push 00FF248Eh; ret	5_2_00FF2486
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF240F push 00FF248Eh; ret	5_2_00FF2486
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF15D1 push 00FF15FDh; ret	5_2_00FF15F5

Source: 6.2.RegAsm.exe.3bf0c90.3.raw.unpack, Btu9tePebTQXjVvGwAT.cs	High entropy of concatenated method names: 'WkSeM9ni2S', 'YWQekt7PuU', 'ugHePntybR', 'IyDeUI6V7H', 's45erotgfq', 'IrNelL6RPJ', 'QeNewUSXIw', 'EbwPSBq2RW', 'aJ1eFkKR0r', 'mWoeYe7dw6'
Source: 6.2.RegAsm.exe.3bf0c90.3.raw.unpack, sSuX93MZsYEcAG0TpT6.cs	High entropy of concatenated method names: 'RrRNaAzdHOU6Sm950Pw', 'InfF8izpNHNbZgyZE04', 'dVjk7dIuwk', 'vh0ry9Sq2v', 'SV0k2q3gWV', 'kTUk5gbIoh', 'BuCknx1l19', 'fMSkSFAUkS', 'Wntq0dbrJ5o', 'lGMMxor06R'
Source: 6.2.RegAsm.exe.3bf0c90.3.raw.unpack, gOmuMgIrJc4M0GvuLa.cs	High entropy of concatenated method names: 'iQBMyJlAjx', 'phg6dQbwmxxAeH5xPdM', 'EBCKtgbFybcfIBimWDG', 'SJajWyYuA', 'EVRXQ0AhN', 'iO9RlAGdf', 'mP4W3WkP2', 'JAdkODFl1', 'MYhP7yy6V', 'u4PrpucS3'
Source: 6.2.RegAsm.exe.3bf0c90.3.raw.unpack, lygJTCPdTTckQ8GfU2g.cs	High entropy of concatenated method names: 'ThRPWxE45e', 'NBHPMIOttu', 'jmUPkB9JSn', 'd82PPNhHLN', 'oBaPUt2aC9', 'gtrPrMdwPa', 'CxcPlg1UwW', 'hONPw6hdSD', 'FcrPF1NaOS', 'MysPYJCXJm'
Source: 6.2.RegAsm.exe.73c0000.5.raw.unpack, Btu9tePebTQXjVvGwAT.cs	High entropy of concatenated method names: 'WkSeM9ni2S', 'YWQekt7PuU', 'ugHePntybR', 'IyDeUI6V7H', 's45erotgfq', 'IrNelL6RPJ', 'QeNewUSXIw', 'EbwPSBq2RW', 'aJ1eFkKR0r', 'mWoeYe7dw6'
Source: 6.2.RegAsm.exe.73c0000.5.raw.unpack, sSuX93MZsYEcAG0TpT6.cs	High entropy of concatenated method names: 'RrRNaAzdHOU6Sm950Pw', 'InfF8izpNHNbZgyZE04', 'dVjk7dIuwk', 'vh0ry9Sq2v', 'SV0k2q3gWV', 'kTUk5gbIoh', 'BuCknx1l19', 'fMSkSFAUkS', 'Wntq0dbrJ5o', 'lGMMxor06R'
Source: 6.2.RegAsm.exe.73c0000.5.raw.unpack, gOmuMgIrJc4M0GvuLa.cs	High entropy of concatenated method names: 'iQBMyJlAjx', 'phg6dQbwmxxAeH5xPdM', 'EBCKtgbFybcfIBimWDG', 'SJajWyYuA', 'EVRXQ0AhN', 'iO9RlAGdf', 'mP4W3WkP2', 'JAdkODFl1', 'MYhP7yy6V', 'u4PrpucS3'
Source: 6.2.RegAsm.exe.73c0000.5.raw.unpack, lygJTCPdTTckQ8GfU2g.cs	High entropy of concatenated method names: 'ThRPWxE45e', 'NBHPMIOttu', 'jmUPkB9JSn', 'd82PPNhHLN', 'oBaPUt2aC9', 'gtrPrMdwPa', 'CxcPlg1UwW', 'hONPw6hdSD', 'FcrPF1NaOS', 'MysPYJCXJm'

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	File created: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	File created: C:\kchhcfb\AutoIt3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	File created: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce caehccg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce caehccg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce caehccg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce caehccg	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_006659B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	5_2_006659B3
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_005F5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	5_2_005F5EDA
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_007559B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	8_2_007559B3
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006E5EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	8_2_006E5EDA

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_006033B7 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_006033B7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\92F976A0251E9247E50EC0FD39D377B7 be7173f6dded1b27d331d8f4ccf32807

Jump to behavior

Source: C:\Users\user\Desktop\JiH0aUfOU6.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: EC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4AB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2880000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Memory allocated: 4CB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9604			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: foregroundWindowGot 1770			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QF4D1.tmp\JiH0aUfOU6.tmp

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\_isetup\_setup64.tmp

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	API coverage: 5.7 %
Source: C:\kchhcfb\AutoIt3.exe	API coverage: 5.6 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 3316	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8244	Thread sleep count: 9604 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8244	Thread sleep count: 218 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 8468	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00644005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00644005
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064C2FF FindFirstFileW,FindNextFileW,FindClose,	5_2_0064C2FF
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064494A GetFileAttributesW,FindFirstFileW,FindClose,	5_2_0064494A
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064CD14 FindFirstFileW,FindClose,	5_2_0064CD14
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	5_2_0064CD9F
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_0064F5D8
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	5_2_0064F735
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0064FA36 FindFirstFileW,Sleep,FindNextFileW,FindClose,	5_2_0064FA36
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00643CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	5_2_00643CE2
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FE08FD FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	5_2_00FE08FD
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FDE22D GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	5_2_00FDE22D
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FE0A05 FindFirstFileA,GetLastError,	5_2_00FE0A05
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00734005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00734005
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073C2FF FindFirstFileW,FindNextFileW,FindClose,	8_2_0073C2FF
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073494A GetFileAttributesW,FindFirstFileW,FindClose,	8_2_0073494A
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073CD14 FindFirstFileW,FindClose,	8_2_0073CD14
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,	8_2_0073CD9F
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0073F5D8
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	8_2_0073F735
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0073FA36 FindFirstFileW,Sleep,FindNextFileW,FindClose,	8_2_0073FA36
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00733CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	8_2_00733CE2
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_011F219D FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,	8_2_011F219D
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_011F22A5 FindFirstFileA,GetLastError,	8_2_011F22A5
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_011EFACD GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,	8_2_011EFACD

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_005F5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_005F5D13

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: AutoIt3.exe, 0000000B.00000002.794201246647.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Autoit3.exe, Autoit3.exe, 00000005.00000002.793961731763.0000000001027000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793961589460.0000000000FD7000.00000040.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793961281375.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793954669168.0000000001012000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793954669168.0000000001063000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793961731763.0000000001002000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, AutoIt3.exe, 00000008.00000002.794122273819.0000000001085000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794123321639.00000000011E8000.00000040.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794114493537.0000000001173000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794122273819.00000000010B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft hyper-v video
Source: AutoIt3.exe, 0000000B.00000002.794201246647.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cSFksJlMugAfJJiCpQzTvHPkiOXPpWhGFSwxpdVRxiinwPGhY0
Source: Autoit3.exe, 00000005.00000002.793961731763.0000000001027000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793961589460.0000000000FD7000.00000040.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793954669168.000000000100D000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793961951679.000000000105E000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000003.793954669168.000000000105C000.00000004.00000020.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793961731763.0000000001002000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794122273819.0000000001085000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794123321639.00000000011E8000.00000040.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000003.794114493537.000000000111D000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000008.00000002.794122939163.000000000116E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: xRckeQNZuMKVTzSBBtqmbcsgnaBYEbZaOwjiqXNRDquAjeMRvwNRxJetYOwhpnTOcozOeCkwmEhYbtoroygOEkCQSiklrIXCdvDMwNjgtuAcCYYEizUkEfFASNbfKXpvDqnhcWPpsCRqcmTHZXPFjdfJqdVCyExbjYHtoFjxYOllWjDmCOPNQbWFVCDfVKzEvMfheByguPDYQDgGDtiQAeZFQIBlwgZUHAoAfJPXimzHuQgGFBumXBjfyNceCvcsiCcSFksJlMugAfJJiCpQzTvHPkiOXPpWhGFSwxpdVRxiinwPGhUIcRINemJjwnThIXtDiaSZYcFozQAClCBmoqTgYgjbYvufIlbsZGmuAQCTOeDegsMqvyazDdYRHIcBaADUJoIqcFMiwYOguJvZrEcIojiaKbAJwvkkMhtTxNwibjQaWdIJEkbCZFGLBqZvDWvHnFGlcEGMmcVFDAQiqcWeVrZaGXiiWDYSXmMHzucFVIOubyDBtdQsJwILHgoVXnVTmQXxTvnnbOGvWSPjitMzqQODvKenUsAagrFfHPCdLTlpNbKTQqMIlvobSoRuYKrVnZbcILYjlhRmUPKIdwWkjeSydfoaoFkFYiBUhmsHXxmbGwzXnytwvGZcmjMxNPksjyzoOwpnxtMagHdzvtlQxSTONkaGpyKRzJoXBniKvlggwFHqlpDSqxAxgCuZIooagQnJSKcxGZNVBWMQWFEirfHNZpNFyqSiWdTuCHSRerywlMfKARvvnxQifnwfniDWxSAbOWmZUJFtnAPaAMmsndpZwWoKyPRoPPFGjvGVohcZnofgjqnQRyisbAJkwJrzOKFrKQjtHzjeMwELsKILVjkldVDWqNbhQEZqKSUbAmWffVdRCpJbQHbvWMqSntglYImUYkwqBFKZGbHQUGCRnlXBfoTzlrdXYtRtHAqBBAwqBEKsiABn
Source: RegAsm.exe, 00000006.00000002.799015556310.00000000056C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Autoit3.exe, AutoIt3.exe	Binary or memory string: ksJlMugAfJJiCpQzTvHPkiOXPpWhGFSwxpdVRxiinwPGhUIcRINemJjwnThIXtDiaSZYcFozQAClCBmoqTgYgjbYvufIlbsZGmuAQCTOeDegsMqvyazDdYRHIcBaADUJoIqcFMiwYOguJvZrEcIojiaKbAJwvkkMhtTxNwibjQaWdIJEkbCZFGLBqZvDWvHnFGlcEGMmcVFDAQiqcWeVrZaGXiiWDYSXmMHzucFVIOubyDBtdQsJwILHgoVXnVTmQXxT

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	API call chain: ExitProcess graph end node			graph_5-112141
Source: C:\kchhcfb\AutoIt3.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00FEF6EF LdrInitializeThunk,

5_2_00FEF6EF

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_006545D5 BlockInput,

5_2_006545D5

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_005F5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_005F5240

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00615CAC EncodePointer,EncodePointer,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

5_2_00615CAC

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_0065C6D9 LoadLibraryA,GetProcAddress,

5_2_0065C6D9

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_01001346 mov eax, dword ptr fs:[00000030h]	5_2_01001346
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF53D9 mov eax, dword ptr fs:[00000030h]	5_2_00FF53D9
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF53D9 mov eax, dword ptr fs:[00000030h]	5_2_00FF53D9
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF53D2 mov eax, dword ptr fs:[00000030h]	5_2_00FF53D2
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FF53D2 mov eax, dword ptr fs:[00000030h]	5_2_00FF53D2
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00FEF4ED mov eax, dword ptr fs:[00000030h]	5_2_00FEF4ED
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_01200D8D mov eax, dword ptr fs:[00000030h]	8_2_01200D8D
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_01206C72 mov eax, dword ptr fs:[00000030h]	8_2_01206C72
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_01206C72 mov eax, dword ptr fs:[00000030h]	8_2_01206C72
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_01206C79 mov eax, dword ptr fs:[00000030h]	8_2_01206C79
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_01206C79 mov eax, dword ptr fs:[00000030h]	8_2_01206C79
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_01212BE6 mov eax, dword ptr fs:[00000030h]	8_2_01212BE6

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_006388CD GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

5_2_006388CD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0060A354 SetUnhandledExceptionFilter,	5_2_0060A354
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0060A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0060A385
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006FA354 SetUnhandledExceptionFilter,	8_2_006FA354
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_006FA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_006FA385

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00639369 LogonUserW,

5_2_00639369

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_005F5240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

5_2_005F5240

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00641AC6 SendInput,keybd_event,

5_2_00641AC6

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_006451E2 mouse_event,

5_2_006451E2

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

5_2_006388CD

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00644F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

5_2_00644F1C

Source: JiH0aUfOU6.tmp, 00000003.00000003.794118663736.0000000003AD5000.00000004.00001000.00020000.00000000.sdmp, Autoit3.exe, 00000005.00000002.793960905346.0000000000696000.00000002.00000001.01000000.00000007.sdmp, Autoit3.exe, 00000005.00000003.793958923693.00000000044D7000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerD
Source: Autoit3.exe, AutoIt3.exe	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program manager
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: program manager@
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002D30000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_0060885B cpuid

5_2_0060885B

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	5_2_00FDE405
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: GetLocaleInfoA,	5_2_00FE33D5
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: GetLocaleInfoA,	5_2_00FE3389
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	5_2_00FDE50F
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: GetLocaleInfoA,GetACP,	5_2_00FE4921
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: GetLocaleInfoA,	5_2_00FDED29
Source: C:\kchhcfb\AutoIt3.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	8_2_011EFCA5
Source: C:\kchhcfb\AutoIt3.exe	Code function: GetLocaleInfoA,GetACP,	8_2_011F61C1
Source: C:\kchhcfb\AutoIt3.exe	Code function: GetLocaleInfoA,	8_2_011F05C9
Source: C:\kchhcfb\AutoIt3.exe	Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,	8_2_011EFDAF
Source: C:\kchhcfb\AutoIt3.exe	Code function: GetLocaleInfoA,	8_2_011F4C29
Source: C:\kchhcfb\AutoIt3.exe	Code function: GetLocaleInfoA,	8_2_011F4C75

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior
Source: C:\kchhcfb\AutoIt3.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00620030 GetLocalTime,

5_2_00620030

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_00620722 GetUserNameW,

5_2_00620722

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_0061416A GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

5_2_0061416A

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe

Code function: 5_2_005F5D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

5_2_005F5D13

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Electrum
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: pibnejdfjmmkpcnlpebklmnkoeoihofecqTronLinkrnkbihfbeogaeaoehlefnkodbefgpgknnsMetaMasktfhbohimaelbohpjbbldcngcnapndodjpuBinance Chain WalletvffnbelfdoeiohenkjibnmadjiehjhajbwYoroixcjelfplplebdjjenllpjcblmjkfcffneyJaxx Libertyzfihkakfobkmkjojpchpfgcmhfjnmnfpi{BitApp Wallet\|kncchdigobghenbbaddojjnnaogfppfj}iWallet~aiifbnbfobpmeekipheeijimdpnlpgpp
Source: RegAsm.exe, 00000006.00000002.799018640142.0000000005937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: PayPal,,,Bank,,,Banking,,,Crypto,,,Exodus,,,Bitcoin,,,Shopify,,,Invest,,,Investing,,,Payment,,,Amazon,,,Ebay,,,Quickbooks,,,Intuit,,,PhoneLink
Source: RegAsm.exe, 00000006.00000002.799001778724.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Ethereum
Source: Autoit3.exe, 00000005.00000003.793960060253.0000000004479000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

Jump to behavior

Source: AutoIt3.exe	Binary or memory string: WIN_81
Source: AutoIt3.exe	Binary or memory string: WIN_XP
Source: AutoIt3.exe	Binary or memory string: WIN_XPe
Source: AutoIt3.exe	Binary or memory string: WIN_VISTA
Source: AutoIt3.exe	Binary or memory string: WIN_7
Source: AutoIt3.exe	Binary or memory string: WIN_8
Source: AutoIt3.exe.5.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0000000A.00000002.794286967682.0000000002A72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.799001778724.0000000002AC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 8364, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_0065696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	5_2_0065696E
Source: C:\Users\user\AppData\Local\Temp\is-2FTC5.tmp\Autoit3.exe	Code function: 5_2_00656E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	5_2_00656E32
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_0074696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	8_2_0074696E
Source: C:\kchhcfb\AutoIt3.exe	Code function: 8_2_00746E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	8_2_00746E32

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	321 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	1 Create Account	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	2 Valid Accounts	2 Obfuscated Files or Information	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	21 Input Capture	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	21 Access Token Manipulation	2 Software Packing	NTDS	257 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	12 Process Injection	1 DLL Side-Loading	LSA Secrets	451 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	341 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	341 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	3 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	21 Access Token Manipulation	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	12 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JiH0aUfOU6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Protection of GUI

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
JiH0aUfOU6.exe