Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Exploit Locator.exe

Overview

General Information

Sample name:Exploit Locator.exe
Analysis ID:1617091
MD5:ceda66edeec9673d08da4d9e592f175b
SHA1:7fe94dd7c2439264b1101b3834470293eeca938c
SHA256:be44f0224d2770e099e468066859580f17ad65c6a9574ed6e4a9e60ece3ca850
Infos:

Detection

PureCrypter
Score:100
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries keyboard layouts
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64native
  • Exploit Locator.exe (PID: 3556 cmdline: "C:\Users\user\Desktop\Exploit Locator.exe" MD5: CEDA66EDEEC9673D08DA4D9E592F175B)
    • Exploit Locator.tmp (PID: 7360 cmdline: "C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmp" /SL5="$10452,9589775,118784,C:\Users\user\Desktop\Exploit Locator.exe" MD5: 058BDB9BC61E879DED0EC01435EB3829)
      • Exploit Locator.exe (PID: 3644 cmdline: "C:\Users\user\Desktop\Exploit Locator.exe" /VERYSILENT MD5: CEDA66EDEEC9673D08DA4D9E592F175B)
        • Exploit Locator.tmp (PID: 1760 cmdline: "C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmp" /SL5="$3047E,9589775,118784,C:\Users\user\Desktop\Exploit Locator.exe" /VERYSILENT MD5: 058BDB9BC61E879DED0EC01435EB3829)
          • AutoIt3.exe (PID: 8444 cmdline: "C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exe" matriculates.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)
            • jsc.exe (PID: 8600 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
  • AutoIt3.exe (PID: 8648 cmdline: "C:\11389406-0377-47ed-98c7-d564e683c6eb\Autoit3.exe" "C:\11389406-0377-47ed-98c7-d564e683c6eb\matriculates.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)
    • jsc.exe (PID: 8724 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
  • AutoIt3.exe (PID: 8812 cmdline: "C:\11389406-0377-47ed-98c7-d564e683c6eb\Autoit3.exe" "C:\11389406-0377-47ed-98c7-d564e683c6eb\matriculates.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)
    • jsc.exe (PID: 8848 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PureCrypterAccording to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.107999346431.0000000003472000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: jsc.exe PID: 8600JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Process Memory Space: jsc.exe PID: 8724JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security

          Sigma Signatures

          Sigma detected: CurrentVersion Autorun Keys Modification
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\11389406-0377-47ed-98c7-d564e683c6eb\Autoit3.exe" "C:\11389406-0377-47ed-98c7-d564e683c6eb\matriculates.a3x", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exe, ProcessId: 8444, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\matriculates

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-02-17T14:12:41.843596+010020355951Domain Observed Used for C2 Detected176.65.139.5156001192.168.11.2049769TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Exploit Locator.exeVirustotal: Detection: 13%Perma Link
          Joe Sandbox ML detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 91.1% probability
          Source: Exploit Locator.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
          Source: Exploit Locator.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: /_/artifacts/obj/Microsoft.VisualStudio.LanguageServices.Implementation/Release/net472/Microsoft.VisualStudio.LanguageServices.Implementation.pdbSHA256 source: is-9J9G5.tmp.4.dr
          Source: Binary string: D:\a\_work\1\s\Intermediate\asan\mt\libomp.nativeproj\objr\amd64\Release\bin\libomp140.x86_64.pdb source: is-1O67P.tmp.4.dr, libomp140.x86_64.dll.5.dr
          Source: Binary string: /_/artifacts/obj/Microsoft.AspNetCore.Mvc.Abstractions/Release/net7.0/Microsoft.AspNetCore.Mvc.Abstractions.pdbSHA256 source: is-27FQL.tmp.4.dr
          Source: Binary string: Microsoft.VisualStudio.ScriptedHost.pdb source: Microsoft.VisualStudio.ScriptedHost.dll.5.dr, is-TVGL8.tmp.4.dr
          Source: Binary string: mshwLatin.pdb source: mshwLatin.dll.5.dr, is-090ED.tmp.4.dr
          Source: Binary string: /_/artifacts/obj/Microsoft.AspNetCore.Mvc.Abstractions/Release/net7.0/Microsoft.AspNetCore.Mvc.Abstractions.pdb source: is-27FQL.tmp.4.dr
          Source: Binary string: mshwLatin.pdbGCTL source: mshwLatin.dll.5.dr, is-090ED.tmp.4.dr
          Source: Binary string: msadomd.pdbGCTL source: is-ADD8T.tmp.4.dr, msadomd.dll.5.dr
          Source: Binary string: msadomd.pdb source: is-ADD8T.tmp.4.dr, msadomd.dll.5.dr
          Source: Binary string: System.CodeDom.ni.pdb source: is-CLFPL.tmp.4.dr, System.CodeDom.dll.5.dr
          Source: Binary string: /_/artifacts/obj/Microsoft.VisualStudio.LanguageServices.Implementation/Release/net472/Microsoft.VisualStudio.LanguageServices.Implementation.pdb source: is-9J9G5.tmp.4.dr
          Source: Binary string: LibGit2Sharp.pdb source: is-2MCT9.tmp.4.dr
          Source: Binary string: H.PDBTH@CZRA#]CH]\'[U Y@3 source: AutoIt3.exe, 00000005.00000003.107676754138.0000000003D0D000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000007.00000003.107779292371.0000000003EE9000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000009.00000003.107860122096.000000000377E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\hostpolicy\Release\hostpolicy.pdb source: hostpolicy.dll.5.dr, is-FRBPQ.tmp.4.dr
          Source: Binary string: LibGit2Sharp.pdbSHA256IG source: is-2MCT9.tmp.4.dr
          Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: Exploit Locator.tmp, 00000001.00000003.107387455462.0000000002428000.00000004.00001000.00020000.00000000.sdmp, Exploit Locator.exe, _isdecmp.dll.1.dr
          Source: Binary string: Microsoft.AspNetCore.Mvc.Abstractions.ni.pdb source: is-27FQL.tmp.4.dr
          Source: Binary string: /_/artifacts/obj/System.CodeDom/Release/net7.0/System.CodeDom.pdb source: is-CLFPL.tmp.4.dr, System.CodeDom.dll.5.dr

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 176.65.139.51:56001 -> 192.168.11.20:49769
          Source: global trafficTCP traffic: 192.168.11.20:49769 -> 176.65.139.51:56001
          Source: Joe Sandbox ViewASN Name: PALTEL-ASPALTELAutonomousSystemPS PALTEL-ASPALTELAutonomousSystemPS
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: unknownTCP traffic detected without corresponding DNS query: 176.65.139.51
          Source: Exploit Locator.exeString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
          Source: jsc.exe, 00000006.00000002.108639279772.0000000001409000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: is-5A5NI.tmp.4.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
          Source: is-5A5NI.tmp.4.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
          Source: is-5A5NI.tmp.4.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
          Source: jsc.exe, 00000006.00000002.108639279772.0000000001409000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: is-5A5NI.tmp.4.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
          Source: Exploit Locator.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
          Source: Exploit Locator.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
          Source: Exploit Locator.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
          Source: Exploit Locator.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
          Source: is-V93MM.tmp.4.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
          Source: Exploit Locator.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
          Source: Exploit Locator.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
          Source: Exploit Locator.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
          Source: Exploit Locator.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
          Source: jsc.exe, 00000006.00000002.108639279772.0000000001409000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: jsc.exe, 00000006.00000002.108654558266.0000000005BB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enA0
          Source: Microsoft.VisualStudio.ScriptedHost.dll.5.dr, is-TVGL8.tmp.4.drString found in binary or memory: http://daytona/plugin.js:http://scriptedhost/plugin.js
          Source: Microsoft.VisualStudio.ScriptedHost.dll.5.dr, is-TVGL8.tmp.4.drString found in binary or memory: http://daytona/plugin.js;http://scriptedhost/plugin.jsAhttp://scriptedhost.vs/plugin.js
          Source: Exploit Locator.exeString found in binary or memory: http://ocsp.comodoca.com0
          Source: Exploit Locator.exeString found in binary or memory: http://ocsp.sectigo.com0
          Source: is-V93MM.tmp.4.drString found in binary or memory: http://ocsp.thawte.com0
          Source: is-5A5NI.tmp.4.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
          Source: is-5A5NI.tmp.4.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
          Source: is-5A5NI.tmp.4.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
          Source: is-1O67P.tmp.4.dr, libomp140.x86_64.dll.5.drString found in binary or memory: http://openmp.llvm.org/
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Microsoft.VisualStudio.ScriptedHost.dll.5.dr, is-TVGL8.tmp.4.drString found in binary or memory: http://scriptedhost.vs/plugin.jsZ--enable-features=msIntelLockFileExWorkaround
          Source: is-5A5NI.tmp.4.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
          Source: is-5A5NI.tmp.4.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
          Source: is-V93MM.tmp.4.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
          Source: is-V93MM.tmp.4.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
          Source: is-V93MM.tmp.4.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
          Source: AutoIt3.exe, 00000005.00000000.107674535378.00000000006B5000.00000002.00000001.01000000.0000000F.sdmp, AutoIt3.exe, 00000007.00000000.107777138251.0000000000655000.00000002.00000001.01000000.00000012.sdmp, AutoIt3.exe, 00000009.00000000.107858100580.0000000000655000.00000002.00000001.01000000.00000012.sdmp, is-5A5NI.tmp.4.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
          Source: Exploit Locator.exe, Exploit Locator.tmp.0.dr, Exploit Locator.tmp.3.drString found in binary or memory: http://www.innosetup.com/
          Source: Exploit Locator.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
          Source: jsc.exe, 00000006.00000002.108639279772.0000000001409000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
          Source: Exploit Locator.exe, Exploit Locator.tmp.0.dr, Exploit Locator.tmp.3.drString found in binary or memory: http://www.remobjects.com/ps
          Source: is-V93MM.tmp.4.drString found in binary or memory: http://www.vmware.com/0
          Source: is-1O67P.tmp.4.dr, libomp140.x86_64.dll.5.drString found in binary or memory: https://bugs.llvm.org/.
          Source: Microsoft.VisualStudio.ScriptedHost.dll.5.dr, is-TVGL8.tmp.4.drString found in binary or memory: https://devdiv.visualstudio.com/DevDiv/_git/VS?path=/src/env/shell/UIInternal/MainWindow/Controls/Vs
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.107999346431.0000000003472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.107999346431.0000000003472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.107999346431.0000000003472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
          Source: is-27FQL.tmp.4.drString found in binary or memory: https://github.com/dotnet/aspnetcore
          Source: is-27FQL.tmp.4.drString found in binary or memory: https://github.com/dotnet/aspnetcore/tree/57512b49997283599b00a6b67d0ccebaec171daf
          Source: is-9J9G5.tmp.4.drString found in binary or memory: https://github.com/dotnet/roslyn
          Source: is-CLFPL.tmp.4.dr, System.CodeDom.dll.5.drString found in binary or memory: https://github.com/dotnet/runtime
          Source: msys-krb5-26.dll.5.dr, is-VCSQ6.tmp.4.drString found in binary or memory: https://github.com/heimdal/heimdal/issues
          Source: msys-krb5-26.dll.5.dr, is-VCSQ6.tmp.4.drString found in binary or memory: https://github.com/heimdal/heimdal/issuesSend
          Source: is-2MCT9.tmp.4.drString found in binary or memory: https://github.com/libgit2/libgit2sharp
          Source: is-2MCT9.tmp.4.drString found in binary or memory: https://github.com/libgit2/libgit2sharp:
          Source: is-VCSQ6.tmp.4.drString found in binary or memory: https://icann.org/namecollision
          Source: msys-krb5-26.dll.5.dr, is-VCSQ6.tmp.4.drString found in binary or memory: https://icann.org/namecollision%dsearching
          Source: msys-krb5-26.dll.5.dr, is-VCSQ6.tmp.4.drString found in binary or memory: https://icann.org/namecollisionRealm
          Source: msys-krb5-26.dll.5.dr, is-VCSQ6.tmp.4.drString found in binary or memory: https://icann.org/namecollisiondns_lookup_realmdomain_realmdns_locateunable
          Source: msys-krb5-26.dll.5.dr, is-VCSQ6.tmp.4.drString found in binary or memory: https://icann.org/namecollisionrealmsconfiguration
          Source: jsc.exe, 00000006.00000002.108639279772.0000000001409000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
          Source: Exploit Locator.exeString found in binary or memory: https://sectigo.com/CPS0
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.107999346431.0000000003472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.107999346431.0000000003472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.107999346431.0000000003472000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
          Source: is-5A5NI.tmp.4.drString found in binary or memory: https://www.autoitscript.com/autoit3/
          Source: is-5A5NI.tmp.4.drString found in binary or memory: https://www.globalsign.com/repository/0
          Source: is-5A5NI.tmp.4.drString found in binary or memory: https://www.globalsign.com/repository/06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_031122016_2_03112201
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_031140D86_2_031140D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_031144386_2_03114438
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_03110FB06_2_03110FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_03110CD06_2_03110CD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_031122B16_2_031122B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_031110616_2_03111061
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_031125386_2_03112538
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0311442B6_2_0311442B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_031114EC6_2_031114EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_031119C16_2_031119C1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_031118C26_2_031118C2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_03110FA26_2_03110FA2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_03110FEA6_2_03110FEA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_03119C536_2_03119C53
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_03119C886_2_03119C88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05A8A5886_2_05A8A588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05A886486_2_05A88648
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05A833D86_2_05A833D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05A8BA706_2_05A8BA70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05A856806_2_05A85680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05A8DEB86_2_05A8DEB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05A838BC6_2_05A838BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05A937306_2_05A93730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05A9F6C06_2_05A9F6C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05A949006_2_05A94900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05B5BF706_2_05B5BF70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05B5BF606_2_05B5BF60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05B5832F6_2_05B5832F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05B583406_2_05B58340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05B5DA286_2_05B5DA28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05B5DA016_2_05B5DA01
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05B56A486_2_05B56A48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BA7D206_2_05BA7D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BA89386_2_05BA8938
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BAB8A06_2_05BAB8A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BA80686_2_05BA8068
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BADBB46_2_05BADBB4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BADC896_2_05BADC89
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BAD75B6_2_05BAD75B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BAD66F6_2_05BAD66F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BAD6666_2_05BAD666
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BA21886_2_05BA2188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BAB1D26_2_05BAB1D2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BAB8906_2_05BAB890
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BA00326_2_05BA0032
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BA00406_2_05BA0040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BADBBD6_2_05BADBBD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_065CA4286_2_065CA428
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_065C95456_2_065C9545
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_065CA4216_2_065CA421
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_065CA1986_2_065CA198
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_065CA18A6_2_065CA18A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_07562C116_2_07562C11
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_07562C206_2_07562C20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_07577C406_2_07577C40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_07577BCA6_2_07577BCA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_07577BEE6_2_07577BEE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_07577DD76_2_07577DD7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0758E2AC6_2_0758E2AC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0758CF966_2_0758CF96
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0758CED76_2_0758CED7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0758CEEA6_2_0758CEEA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_07880AA06_2_07880AA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E22018_2_032E2201
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E40D88_2_032E40D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E44388_2_032E4438
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E0FB08_2_032E0FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E0CD08_2_032E0CD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E22B18_2_032E22B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E10618_2_032E1061
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E25388_2_032E2538
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E14EC8_2_032E14EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E19C18_2_032E19C1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E18C28_2_032E18C2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E0FA38_2_032E0FA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E0FEA8_2_032E0FEA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E9C888_2_032E9C88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E9C858_2_032E9C85
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05BDA5888_2_05BDA588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05BD86488_2_05BD8648
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05BD33D88_2_05BD33D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05BDBA708_2_05BDBA70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05BD56808_2_05BD5680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05BDDEB88_2_05BDDEB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05BD38BC8_2_05BD38BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05BE37308_2_05BE3730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05BEF6C08_2_05BEF6C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05BE49008_2_05BE4900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05CABF428_2_05CABF42
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05CABF708_2_05CABF70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05CA83408_2_05CA8340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05CA832F8_2_05CA832F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05CA6A488_2_05CA6A48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05CADA288_2_05CADA28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05CADA278_2_05CADA27
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05CF21888_2_05CF2188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05CF00408_2_05CF0040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05CF00238_2_05CF0023
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0301220110_2_03012201
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_030140D810_2_030140D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0301443810_2_03014438
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_03010FB010_2_03010FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_03010CD010_2_03010CD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_030122B110_2_030122B1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0301106110_2_03011061
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0301253810_2_03012538
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0301442B10_2_0301442B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_030114EC10_2_030114EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_030119C110_2_030119C1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_030118C210_2_030118C2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_03010FA310_2_03010FA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_03010FEA10_2_03010FEA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_03019C6F10_2_03019C6F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_03019C8810_2_03019C88
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_058AA58810_2_058AA588
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_058A864810_2_058A8648
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_058A33D810_2_058A33D8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_058ABA7010_2_058ABA70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_058A568010_2_058A5680
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_058ADEB810_2_058ADEB8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_058A38BC10_2_058A38BC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_058B373010_2_058B3730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_058BF6C010_2_058BF6C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_058B490010_2_058B4900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0597BF7010_2_0597BF70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0597BF6010_2_0597BF60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0597832F10_2_0597832F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0597834010_2_05978340
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0597DA0110_2_0597DA01
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0597DA2810_2_0597DA28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_05976A4810_2_05976A48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_059C218810_2_059C2188
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_059C000610_2_059C0006
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_059C004010_2_059C0040
          Source: Joe Sandbox ViewDropped File: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exe 1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
          Source: Exploit Locator.exeStatic PE information: invalid certificate
          Source: Exploit Locator.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
          Source: Exploit Locator.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
          Source: Exploit Locator.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
          Source: Exploit Locator.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
          Source: is-1O67P.tmp.4.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: is-1SI20.tmp.4.drStatic PE information: Number of sections : 11 > 10
          Source: is-FQK34.tmp.4.drStatic PE information: Number of sections : 11 > 10
          Source: is-27FQL.tmp.4.drStatic PE information: No import functions for PE file found
          Source: is-CLFPL.tmp.4.drStatic PE information: No import functions for PE file found
          Source: Exploit Locator.exe, 00000000.00000003.107380147596.000000007FE42000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Exploit Locator.exe
          Source: Exploit Locator.exeBinary or memory string: OriginalFilenameshfolder.dll~/ vs Exploit Locator.exe
          Source: Exploit Locator.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
          Source: classification engineClassification label: mal100.spyw.evad.winEXE@17/77@0/1
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMutant created: NULL
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMutant created: \Sessions\1\BaseNamedObjects\87a1fee0ad30
          Source: C:\Users\user\Desktop\Exploit Locator.exeFile created: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmpJump to behavior
          Source: C:\Users\user\Desktop\Exploit Locator.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\Desktop\Exploit Locator.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Exploit Locator.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
          Source: Exploit Locator.exeVirustotal: Detection: 13%
          Source: Exploit Locator.exeString found in binary or memory: /LOADINF="filename"
          Source: Exploit Locator.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
          Source: Exploit Locator.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
          Source: Exploit Locator.exeString found in binary or memory: /LoadInf=
          Source: Exploit Locator.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
          Source: C:\Users\user\Desktop\Exploit Locator.exeFile read: C:\Users\user\Desktop\Exploit Locator.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Exploit Locator.exe "C:\Users\user\Desktop\Exploit Locator.exe"
          Source: C:\Users\user\Desktop\Exploit Locator.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmp "C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmp" /SL5="$10452,9589775,118784,C:\Users\user\Desktop\Exploit Locator.exe"
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpProcess created: C:\Users\user\Desktop\Exploit Locator.exe "C:\Users\user\Desktop\Exploit Locator.exe" /VERYSILENT
          Source: C:\Users\user\Desktop\Exploit Locator.exeProcess created: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmp "C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmp" /SL5="$3047E,9589775,118784,C:\Users\user\Desktop\Exploit Locator.exe" /VERYSILENT
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exe "C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exe" matriculates.a3x
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          Source: unknownProcess created: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exe "C:\11389406-0377-47ed-98c7-d564e683c6eb\Autoit3.exe" "C:\11389406-0377-47ed-98c7-d564e683c6eb\matriculates.a3x"
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          Source: unknownProcess created: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exe "C:\11389406-0377-47ed-98c7-d564e683c6eb\Autoit3.exe" "C:\11389406-0377-47ed-98c7-d564e683c6eb\matriculates.a3x"
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          Source: C:\Users\user\Desktop\Exploit Locator.exeProcess created: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmp "C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmp" /SL5="$10452,9589775,118784,C:\Users\user\Desktop\Exploit Locator.exe" Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpProcess created: C:\Users\user\Desktop\Exploit Locator.exe "C:\Users\user\Desktop\Exploit Locator.exe" /VERYSILENTJump to behavior
          Source: C:\Users\user\Desktop\Exploit Locator.exeProcess created: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmp "C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmp" /SL5="$3047E,9589775,118784,C:\Users\user\Desktop\Exploit Locator.exe" /VERYSILENTJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exe "C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exe" matriculates.a3xJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Exploit Locator.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\Exploit Locator.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Exploit Locator.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\Exploit Locator.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\Desktop\Exploit Locator.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Exploit Locator.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: msimg32.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: iconcodecservice.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: textinputframework.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: coremessaging.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: shfolder.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: rstrtmgr.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: dwmapi.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: sfc.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: sfc_os.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: explorerframe.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: version.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: winmm.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: mpr.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: wininet.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: userenv.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: version.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: winmm.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: mpr.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: wininet.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: userenv.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: edgegdi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpWindow found: window name: TMainFormJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Exploit Locator.exeStatic file information: File size 10871134 > 1048576
          Source: Exploit Locator.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
          Source: Binary string: /_/artifacts/obj/Microsoft.VisualStudio.LanguageServices.Implementation/Release/net472/Microsoft.VisualStudio.LanguageServices.Implementation.pdbSHA256 source: is-9J9G5.tmp.4.dr
          Source: Binary string: D:\a\_work\1\s\Intermediate\asan\mt\libomp.nativeproj\objr\amd64\Release\bin\libomp140.x86_64.pdb source: is-1O67P.tmp.4.dr, libomp140.x86_64.dll.5.dr
          Source: Binary string: /_/artifacts/obj/Microsoft.AspNetCore.Mvc.Abstractions/Release/net7.0/Microsoft.AspNetCore.Mvc.Abstractions.pdbSHA256 source: is-27FQL.tmp.4.dr
          Source: Binary string: Microsoft.VisualStudio.ScriptedHost.pdb source: Microsoft.VisualStudio.ScriptedHost.dll.5.dr, is-TVGL8.tmp.4.dr
          Source: Binary string: mshwLatin.pdb source: mshwLatin.dll.5.dr, is-090ED.tmp.4.dr
          Source: Binary string: /_/artifacts/obj/Microsoft.AspNetCore.Mvc.Abstractions/Release/net7.0/Microsoft.AspNetCore.Mvc.Abstractions.pdb source: is-27FQL.tmp.4.dr
          Source: Binary string: mshwLatin.pdbGCTL source: mshwLatin.dll.5.dr, is-090ED.tmp.4.dr
          Source: Binary string: msadomd.pdbGCTL source: is-ADD8T.tmp.4.dr, msadomd.dll.5.dr
          Source: Binary string: msadomd.pdb source: is-ADD8T.tmp.4.dr, msadomd.dll.5.dr
          Source: Binary string: System.CodeDom.ni.pdb source: is-CLFPL.tmp.4.dr, System.CodeDom.dll.5.dr
          Source: Binary string: /_/artifacts/obj/Microsoft.VisualStudio.LanguageServices.Implementation/Release/net472/Microsoft.VisualStudio.LanguageServices.Implementation.pdb source: is-9J9G5.tmp.4.dr
          Source: Binary string: LibGit2Sharp.pdb source: is-2MCT9.tmp.4.dr
          Source: Binary string: H.PDBTH@CZRA#]CH]\'[U Y@3 source: AutoIt3.exe, 00000005.00000003.107676754138.0000000003D0D000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000007.00000003.107779292371.0000000003EE9000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 00000009.00000003.107860122096.000000000377E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\hostpolicy\Release\hostpolicy.pdb source: hostpolicy.dll.5.dr, is-FRBPQ.tmp.4.dr
          Source: Binary string: LibGit2Sharp.pdbSHA256IG source: is-2MCT9.tmp.4.dr
          Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: Exploit Locator.tmp, 00000001.00000003.107387455462.0000000002428000.00000004.00001000.00020000.00000000.sdmp, Exploit Locator.exe, _isdecmp.dll.1.dr
          Source: Binary string: Microsoft.AspNetCore.Mvc.Abstractions.ni.pdb source: is-27FQL.tmp.4.dr
          Source: Binary string: /_/artifacts/obj/System.CodeDom/Release/net7.0/System.CodeDom.pdb source: is-CLFPL.tmp.4.dr, System.CodeDom.dll.5.dr

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: is-CLFPL.tmp.4.dr, CompilerInfo.cs.Net Code: CreateProvider
          Source: is-2MCT9.tmp.4.drStatic PE information: 0x9E10FB95 [Tue Jan 13 10:31:49 2054 UTC]
          Source: is-1O67P.tmp.4.drStatic PE information: section name: _RDATA
          Source: is-ADD8T.tmp.4.drStatic PE information: section name: .sdbid
          Source: is-VCSQ6.tmp.4.drStatic PE information: section name: .buildid
          Source: is-VCSQ6.tmp.4.drStatic PE information: section name: .xdata
          Source: is-4Q16D.tmp.4.drStatic PE information: section name: .buildid
          Source: is-4Q16D.tmp.4.drStatic PE information: section name: .xdata
          Source: is-FQK34.tmp.4.drStatic PE information: section name: .xdata
          Source: is-1SI20.tmp.4.drStatic PE information: section name: .xdata
          Source: is-SKH9A.tmp.4.drStatic PE information: section name: .symtab
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05A98E7B push eax; retf 6_2_05A98E81
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BA1ED2 push esp; retn 05B6h6_2_05BA202D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05BA1148 push eax; iretd 6_2_05BA1149
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_065CC42D push cs; retf 6_2_065CC42E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_065CF870 push es; iretd 6_2_065CF878
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_065CF89A push es; ret 6_2_065CF8A4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_07526041 push 8B043B3Ah; iretd 6_2_07526046
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_07560157 push esp; retf 6_2_07560169
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_07567F22 pushfd ; ret 6_2_07567F29
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_07567EC2 push esp; ret 6_2_07567EC9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0757CE26 push esi; iretd 6_2_0757CE27
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_07588BFB push ecx; iretd 6_2_07588BFC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05CA2451 push es; retf 8_2_05CA245E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05CF1148 push eax; iretd 8_2_05CF1149
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_058B8E7B push eax; retf 10_2_058B8E81
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_059C1148 push eax; iretd 10_2_059C1149
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\msys-krb5-26.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-ADD8T.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\msys-krb5-26.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\mit2ms.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M2OLV.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-2MCT9.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\msadomd.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\System.CodeDom.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\System.CodeDom.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\SSLeay.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-27FQL.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-7A12Q.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\edit_test_dll.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M2OLV.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\tclsh.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\bzcat.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-G6IEM.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\mshwLatin.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-SKH9A.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-6TS96.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\libomp140.x86_64.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\hostpolicy.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\git-credential-manager-core.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\git-lfs.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\odt2txt.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\LibGit2Sharp.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.LanguageServices.Implementation.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ON0H6.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-4Q16D.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-1O67P.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\WinPixSysMonController.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-5A5NI.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M2OLV.tmp\_isetup\_iscrypt.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-FRBPQ.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-V93MM.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-9J9G5.tmpJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.ScriptedHost.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-CLFPL.tmpJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\msadomd.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\Microsoft.AspNetCore.Mvc.Abstractions.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.TeamFoundation.WorkItemTracking.Controls.dllJump to dropped file
          Source: C:\Users\user\Desktop\Exploit Locator.exeFile created: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-BHPBG.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-3554K.tmpJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\mshwLatin.dllJump to dropped file
          Source: C:\Users\user\Desktop\Exploit Locator.exeFile created: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-090ED.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-VCSQ6.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Local\Temp\is-M2OLV.tmp\_isetup\_isdecmp.dllJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\SSLeay.dllJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\WinPixSysMonController.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\tclsh86.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-TVGL8.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\Microsoft.VisualStudio.ScriptedHost.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\LibGit2Sharp.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-K22DN.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-FQK34.tmpJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\libomp140.x86_64.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ON0H6.tmp\_isetup\_isdecmp.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-1SI20.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\pkcs1-conv.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\hostpolicy.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ON0H6.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\Microsoft.TeamFoundation.WorkItemTracking.Controls.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-BPUG6.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Local\Temp\is-ON0H6.tmp\_isetup\_iscrypt.dllJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.AspNetCore.Mvc.Abstractions.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpFile created: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\Microsoft.VisualStudio.LanguageServices.Implementation.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce matriculatesJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce matriculatesJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce matriculatesJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce matriculatesJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\D1B229C21A0A68AF7DA7312615A134A4 b93d3a775eda1a7b4469695c496fa2d0Jump to behavior
          Source: C:\Users\user\Desktop\Exploit Locator.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Exploit Locator.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Queries memory information (via WMI often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
          Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
          Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 3110000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 3360000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 3190000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 32A0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 3440000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 5440000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 3210000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2F70000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E2808 rdtsc 8_2_032E2808
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 9898Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\msys-krb5-26.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-ADD8T.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\msys-krb5-26.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\mit2ms.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M2OLV.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-2MCT9.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\System.CodeDom.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\msadomd.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\System.CodeDom.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\SSLeay.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-27FQL.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\edit_test_dll.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-7A12Q.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M2OLV.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\tclsh.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\bzcat.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\mshwLatin.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-G6IEM.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-SKH9A.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-6TS96.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\libomp140.x86_64.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\hostpolicy.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\git-lfs.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\git-credential-manager-core.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\odt2txt.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\LibGit2Sharp.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.LanguageServices.Implementation.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-4Q16D.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ON0H6.tmp\_isetup\_setup64.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-1O67P.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\WinPixSysMonController.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M2OLV.tmp\_isetup\_iscrypt.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-V93MM.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-FRBPQ.tmpJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.ScriptedHost.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-9J9G5.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-CLFPL.tmpJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\msadomd.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\Microsoft.AspNetCore.Mvc.Abstractions.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.TeamFoundation.WorkItemTracking.Controls.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-BHPBG.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-3554K.tmpJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\mshwLatin.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-090ED.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-VCSQ6.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-M2OLV.tmp\_isetup\_isdecmp.dllJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\SSLeay.dllJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\WinPixSysMonController.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\tclsh86.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-TVGL8.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\Microsoft.VisualStudio.ScriptedHost.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\LibGit2Sharp.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-K22DN.tmpJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\libomp140.x86_64.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-FQK34.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ON0H6.tmp\_isetup\_isdecmp.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\is-1SI20.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\bin\pkcs1-conv.exe (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\hostpolicy.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ON0H6.tmp\_isetup\_shfoldr.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\Microsoft.TeamFoundation.WorkItemTracking.Controls.dll (copy)Jump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\is-BPUG6.tmpJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-ON0H6.tmp\_isetup\_iscrypt.dllJump to dropped file
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.AspNetCore.Mvc.Abstractions.dllJump to dropped file
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\Microsoft.VisualStudio.LanguageServices.Implementation.dll (copy)Jump to dropped file
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8696Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8760Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8872Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070409Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08090809Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070409Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08090809Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: is-V93MM.tmp.4.drBinary or memory string: VMware, Inc.1>0<
          Source: is-V93MM.tmp.4.drBinary or memory string: http://www.vmware.com/0
          Source: is-V93MM.tmp.4.drBinary or memory string: VMware, Inc.0
          Source: Exploit Locator.exeBinary or memory string: QEMu&
          Source: jsc.exe, 00000006.00000002.108639279772.0000000001409000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll''
          Source: C:\Users\user\AppData\Local\Temp\is-CCLDA.tmp\Exploit Locator.tmpProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_032E2808 rdtsc 8_2_032E2808
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Allocates memory in foreign processes
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 11C0000 protect: page execute and read and writeJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 1310000 protect: page execute and read and writeJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 1000000 protect: page execute and read and writeJump to behavior
          Detected PureCrypter Trojan
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 176.65.139.51MIIE4jCCAsqgAwIBAgIQAPgrN8URfkcj8TEXxmJ7GTANBgkqhkiG9w0BAQ0FADASMRAwDgYDVQQDDAdQZXJlZHNsMCAXDTI1MDIwODIwNDYzOFoYDzk5OTkxMjMxMjM1OTU5WjASMRAwDgYDVQQDDAdQZXJlZHNsMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtTXNyv1sSvI8gIrKKxa+ZvKbxaEX7+OQRhQBM9b9l3VaKyMK50cW7ttwrDq7UnWCZ0h+BAn0omjIAK+TYE8b3K2hbTZbQK3a01CTFuQBIOl+kcfRUpmtX4iWuNjpmH8YzO47/Iay5PbirmhLXYB90CA3M837pq1l2PXzyO0MZRH8jJT2ujgbrd+yYTYIrbIXy2+pyBizpEdAVve+wy65aPVwaQUh489TDzMy2+dHyCUqU2qMIV9fgscYdGtJIqavtWfuyNtBiB6s9S+0WcOMiufcaKR3Eu2jJ3RDBVdURiKHdhsD50vFPJcUk647PA70V3CpM8ZCr+sv53qd4AsMxc+qjK5uuPel2547zsvNt3A5CZ+6uHGxJD6WEafkP5k45WLd+BqLKSK4QWugcGjiOSI5BZYVN/Q9b/lHJu7dAJdPvwHXFWxGg32QL0uY2GirUetXeanjelKnsuK9wIW3OvNT2xMgbCVzOySVitE0yDHY6r/AjjMat0atWDzV3LANcy2ndYPqE7RARQpjmpR4fI3xWHsxPRr/60JMV5wb+0GxR17PvuodYLdjoy8SVWSvQoEQ5CW7pe6Z2dkCw+oIehx0UkveNsYsJr4Gw1p6cIqLKSQPYXjHBnrLBtyiUAG35Bmzoc5BBsr8wniq6CV8TKNRvElQzwDF6huiRcAr2hMCAwEAAaMyMDAwHQYDVR0OBBYEFBKtDEuhHIdDQ4hL2fXLxGtMImDgMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAIHu5Jca0/MQ6mCgT70u4IuqtNUDqCyHswp3Csev9vqUEYGsNpiMKGeWv/2gjStcDrqR7XokcBCIvjjwWRxqBo48tQZqRaE6Ora54cMqpa3raixT7aqrtbw1vzG6wcT4BJ4U9+DxjdvGQo4Hw2WTCFvrW2D9PWtFI+AjDJuIjMH3dbK7GM7WLHRcUHvkuH97m6SXhL3f1+P0l4S1NsEkiAEfNtma0Vzc6Dqfnc6ffRP91tRKoIOacdc90/DUdYvnCkCR+rsUVYaIwAzx+S9m02V7zuc4IKCObRDQDLRUwFitNWQESFcIi1rhFqlgPwCZ0xZMjHeBTZ8LHySIqY9gw0CouKhTiEWV64oRN1I8bR03wH8jiR+/D6BZy2iqfY6Qea1if0PdMNa7OLreFj6Nr8HEe2yKfl3tcJxUsYe/vt457aTfj9LyvKkbEnS8YnKqZcBK0kZ2VY+s3oX4PknC71Ck2hIWgpSiluFjH/uDTti9rutvoYIH5d39KE3nAqgv5cO3Genm+tHvwvp+oBHurKysm/KZmOGD9LuJ6psEBvQjjtLCtSiLbMaTRyDTPzOmytnxdS6R/1UOH7Amn8h/icxX9/MqnUOmEHxfqLdT1Jq6reOmTkK6PjQ9j1Iky9Oin4mVneDmx8esXKlCMNLxg4XLpZyWtoiXSauoN3vmPX69"Default:BAPPDATAJ87a1fee0ad30
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 11C0000 value starts with: 4D5AJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 1310000 value starts with: 4D5AJump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 1000000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 11C0000Jump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: FC8000Jump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 1310000Jump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 1087000Jump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 1000000Jump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: EBB000Jump to behavior
          Source: C:\Users\user\AppData\Local\Temp\is-OEOV4.tmp\Exploit Locator.tmpProcess created: C:\Users\user\Desktop\Exploit Locator.exe "C:\Users\user\Desktop\Exploit Locator.exe" /VERYSILENTJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
          Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
          Source: AutoIt3.exe, 00000005.00000000.107674253229.00000000006A1000.00000002.00000001.01000000.0000000F.sdmp, AutoIt3.exe, 00000007.00000000.107776946627.0000000000641000.00000002.00000001.01000000.00000012.sdmp, AutoIt3.exe, 00000009.00000000.107857752876.0000000000641000.00000002.00000001.01000000.00000012.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003817000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000006.00000002.108642337142.0000000003841000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000006.00000002.108642337142.00000000037A3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003817000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000006.00000002.108642337142.0000000003841000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000006.00000002.108642337142.00000000037A3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager*
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003817000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000006.00000002.108642337142.0000000003841000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
          Source: C:\Users\user\AppData\Roaming\{9B078D9F-6EFE-4932-91A5-2DC4F240B955}\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: Exploit Locator.exe, 00000000.00000003.107391642928.00000000009EA000.00000004.00001000.00020000.00000000.sdmp, Exploit Locator.tmp, 00000001.00000003.107387455462.0000000002437000.00000004.00001000.00020000.00000000.sdmp, Exploit Locator.tmp, 00000001.00000003.107387455462.00000000024A5000.00000004.00001000.00020000.00000000.sdmp, Exploit Locator.exe, 00000003.00000003.107679409715.0000000000B31000.00000004.00001000.00020000.00000000.sdmp, Exploit Locator.tmp, 00000004.00000003.107675876915.0000000002381000.00000004.00001000.00020000.00000000.sdmp, Exploit Locator.tmp, 00000004.00000003.107675876915.0000000002370000.00000004.00001000.00020000.00000000.sdmp, Exploit Locator.tmp, 00000004.00000003.107675403176.0000000003619000.00000004.00001000.00020000.00000000.sdmp, Exploit Locator.tmp, 00000004.00000003.107675876915.000000000239F000.00000004.00001000.00020000.00000000.sdmp, Exploit Locator.tmp, 00000004.00000003.107675876915.0000000002413000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgui.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

          Stealing of Sensitive Information

          barindex
          Found many strings related to Crypto-Wallets (likely being stolen)
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
          Source: jsc.exe, 00000006.00000002.108647879079.00000000045E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HJaxXiytlJ
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus Web3
          Source: jsc.exe, 00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
          Source: jsc.exe, 00000006.00000002.108647879079.00000000045E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
          Tries to harvest and steal Bitcoin Wallet information
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
          Source: Yara matchFile source: 00000008.00000002.107999346431.0000000003472000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.108642337142.0000000003379000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8600, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8724, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
          Windows Management Instrumentation          		1
          Registry Run Keys / Startup Folder          		312
          Process Injection          		1
          Masquerading          		OS Credential Dumping441
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts2
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          Registry Run Keys / Startup Folder          		1
          Modify Registry          		LSASS Memory2
          Process Discovery          		Remote Desktop Protocol1
          Data from Local System          		1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          PowerShell          		Logon Script (Windows)1
          DLL Side-Loading          		1
          Disable or Modify Tools          		Security Account Manager341
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook341
          Virtualization/Sandbox Evasion          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script312
          Process Injection          		LSA Secrets2
          System Owner/User Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          File and Directory Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Obfuscated Files or Information          		DCSync223
          System Information Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Software Packing          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
          Timestomp          		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
          DLL Side-Loading          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1617091 Sample: Exploit Locator.exe Startdate: 17/02/2025 Architecture: WINDOWS Score: 100 75 Suricata IDS alerts for network traffic 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 .NET source code contains potential unpacker 2->79 81 Joe Sandbox ML detected suspicious sample 2->81 10 Exploit Locator.exe 2 2->10         started        13 AutoIt3.exe 2->13         started        16 AutoIt3.exe 2->16         started        process3 file4 49 C:\Users\user\AppData\...xploit Locator.tmp, PE32 10->49 dropped 18 Exploit Locator.tmp 3 14 10->18         started        91 Writes to foreign memory regions 13->91 93 Allocates memory in foreign processes 13->93 95 Injects a PE file into a foreign processes 13->95 21 jsc.exe 2 13->21         started        23 jsc.exe 3 16->23         started        signatures5 process6 file7 39 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 18->39 dropped 41 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->41 dropped 43 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 18->43 dropped 45 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->45 dropped 25 Exploit Locator.exe 2 18->25         started        process8 file9 47 C:\Users\user\AppData\...xploit Locator.tmp, PE32 25->47 dropped 28 Exploit Locator.tmp 5 40 25->28         started        process10 file11 51 C:\Users\user\AppData\...\AutoIt3.exe (copy), PE32 28->51 dropped 53 C:\Users\user\...\msys-krb5-26.dll (copy), PE32+ 28->53 dropped 55 C:\Users\user\...\mshwLatin.dll (copy), PE32+ 28->55 dropped 57 47 other files (none is malicious) 28->57 dropped 31 AutoIt3.exe 1 17 28->31         started        process12 file13 59 C:\...\AutoIt3.exe, PE32 31->59 dropped 61 C:\...\msys-krb5-26.dll, PE32+ 31->61 dropped 63 C:\...\mshwLatin.dll, PE32+ 31->63 dropped 65 11 other files (none is malicious) 31->65 dropped 69 Writes to foreign memory regions 31->69 71 Allocates memory in foreign processes 31->71 73 Injects a PE file into a foreign processes 31->73 35 jsc.exe 1 2 31->35         started        signatures14 process15 dnsIp16 67 176.65.139.51, 49769, 49770, 56001 PALTEL-ASPALTELAutonomousSystemPS Germany 35->67 83 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 35->83 85 Found many strings related to Crypto-Wallets (likely being stolen) 35->85 87 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->87 89 4 other signatures 35->89 signatures17

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.