Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup64.exe

Overview

General Information

Sample name:Setup64.exe
Analysis ID:1633383
MD5:4d091a9b11bbe7d8c68951b9780a92ea
SHA1:c0684053ee4b6d22d469bdb51436bfc45cf31e3b
SHA256:5a720bf1f2099c701a7bffba78c0c50288984e10b24b32c110e570c787674a50
Tags:AsyncRATexesigneduser-kafan_shengui
Infos:

Detection

PureCrypter, AsyncRAT
Score:58
Range:0 - 100
Confidence:100%

Compliance

Score:47
Range:0 - 100

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Allocates memory in foreign processes
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries keyboard layouts
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • Setup64.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\Setup64.exe" MD5: 4D091A9B11BBE7D8C68951B9780A92EA)
    • Setup64.tmp (PID: 7136 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-SP439.tmp\Setup64.tmp" /SL5="$203A4,8170310,119296,C:\Users\user\Desktop\Setup64.exe" MD5: B1F9D665E52C29972B50D7145D88DCE1)
      • Setup64.exe (PID: 5728 cmdline: "C:\Users\user\Desktop\Setup64.exe" /VERYSILENT MD5: 4D091A9B11BBE7D8C68951B9780A92EA)
        • Setup64.tmp (PID: 6180 cmdline: "C:\Users\user~1\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmp" /SL5="$203A8,8170310,119296,C:\Users\user\Desktop\Setup64.exe" /VERYSILENT MD5: B1F9D665E52C29972B50D7145D88DCE1)
          • AutoIt3.exe (PID: 6588 cmdline: "C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe" randomized.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)
            • jsc.exe (PID: 6928 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
  • AutoIt3.exe (PID: 6956 cmdline: "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\randomized.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)
    • jsc.exe (PID: 6112 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
  • AutoIt3.exe (PID: 5256 cmdline: "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\randomized.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)
    • jsc.exe (PID: 3800 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PureCrypterAccording to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRAT_1Yara detected AsyncRATJoe Security
      00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRAT_1Yara detected AsyncRATJoe Security
          Process Memory Space: jsc.exe PID: 6928JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 3 entries

            Sigma Signatures

            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\randomized.a3x", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe, ProcessId: 6588, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\randomized
            Sigma detected: Use Short Name Path in Command Line
            Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\is-SP439.tmp\Setup64.tmp" /SL5="$203A4,8170310,119296,C:\Users\user\Desktop\Setup64.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\is-SP439.tmp\Setup64.tmp" /SL5="$203A4,8170310,119296,C:\Users\user\Desktop\Setup64.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmp, NewProcessName: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmp, OriginalFileName: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmp, ParentCommandLine: "C:\Users\user\Desktop\Setup64.exe", ParentImage: C:\Users\user\Desktop\Setup64.exe, ParentProcessId: 7120, ParentProcessName: Setup64.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\is-SP439.tmp\Setup64.tmp" /SL5="$203A4,8170310,119296,C:\Users\user\Desktop\Setup64.exe" , ProcessId: 7136, ProcessName: Setup64.tmp
            Sigma detected: Office Macro File Creation
            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe, ProcessId: 6588, TargetFilename: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\randomized.pptm

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-10T09:38:53.371022+010020355951Domain Observed Used for C2 Detected151.80.89.22856001192.168.2.749692TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: Setup64.exeAvira: detected
            Multi AV Scanner detection for submitted file
            Source: Setup64.exeVirustotal: Detection: 12%Perma Link
            Source: Setup64.exeReversingLabs: Detection: 15%
            Joe Sandbox ML detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.5% probability

            Compliance

            barindex
            Uses 32bit PE files
            Source: Setup64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            PE / OLE file has a valid certificate
            Source: Setup64.exeStatic PE information: certificate valid
            Contains modern PE file flags such as dynamic base (ASLR) or NX
            Source: Setup64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Binary contains paths to debug symbols
            Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\shared\Git-Credential-Manager\obj\WindowsRelease\net472\win-x86\git-credential-manager.pdbSHA2567 source: is-FTQVN.tmp.3.dr
            Source: Binary string: D:\dbs\sh\ddvsm\1001_131954\cmd\1c\out\binaries\amd64ret\bin\amd64\Microsoft.VisualStudio.ResPkg.Internal.pdb source: is-ETCDK.tmp.3.dr
            Source: Binary string: /_/artifacts/obj/Microsoft.WinForms.DesignTools.Protocol/Release/netcoreapp3.1/Microsoft.WinForms.DesignTools.Protocol.pdb source: Microsoft.WinForms.DesignTools.Protocol.dll.5.dr
            Source: Binary string: F:\NMC\CURRENT260IL1nightlyBuild15061_final\Libraries\WzWXF\Providers\WzWXFCloud\w64prod\WzWXFll64.pdb@P source: WzWXFll64.dll.5.dr
            Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\shared\Git-Credential-Manager\obj\WindowsRelease\net472\win-x86\git-credential-manager.pdb source: is-FTQVN.tmp.3.dr
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\cpfecl.Linux.x86.pdbGCTL source: is-D0J1E.tmp.3.dr
            Source: Binary string: System.Text.RegularExpressions.ni.pdb source: System.Text.RegularExpressions.dll.5.dr
            Source: Binary string: System.Drawing.Common.ni.pdb source: System.Drawing.Common.dll.5.dr
            Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\Git-Credential-Manager.UI.Windows\obj\WindowsRelease\net472\git-credential-manager-ui.pdb source: is-S7EOV.tmp.3.dr
            Source: Binary string: msitss55.pdb source: msitss55.dll.5.dr
            Source: Binary string: C:\JDK7U2~1\jdk7u17\build\windows-amd64\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdb source: is-RM1O5.tmp.3.dr, npdeployJava1.dll.5.dr
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\cpfecl.Linux.x86.pdb source: is-D0J1E.tmp.3.dr
            Source: Binary string: F:\NMC\CURRENT260IL1nightlyBuild15061_final\Libraries\WzWXF\Providers\WzWXFCloud\w64prod\WzWXFll64.pdb source: WzWXFll64.dll.5.dr
            Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net6.0-windows/System.Drawing.Common.pdbSHA256 source: System.Drawing.Common.dll.5.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.RegularExpressions\Release\net7.0\System.Text.RegularExpressions.pdb source: System.Text.RegularExpressions.dll.5.dr
            Source: Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\l\out\Intermediate\Xaml\diagnosticsbase_x86retail_7D88E235\Release\netstandard2.0\Microsoft.VisualStudio.DesignTools.DiagnosticsBase.pdb source: Microsoft.VisualStudio.DesignTools.DiagnosticsBase.dll.5.dr
            Source: Binary string: /_/artifacts/obj/Microsoft.WinForms.DesignTools.Protocol/Release/netcoreapp3.1/Microsoft.WinForms.DesignTools.Protocol.pdbSHA256 source: Microsoft.WinForms.DesignTools.Protocol.dll.5.dr
            Source: Binary string: Unknown exceptionbad array new lengthstring too longNULLPATH exsyglindbmdlk\DFoFebAbabDbDEbcbCrtbdbEbFdbhBibilbmbobxbpbrbtbUbubvBCBkBreproexperimental:deterministicBtBt+BdBUIastfe:Baanalyze:Bnanalyze:logBzBvBYFmFCforceZ7GLbLTCGDBLDLDdopenmpXFdGmFRFrkernelarchSSEarchSSE2archAVXarchAVX2d2MPXZiZ7ZIZXGiZmZMclrclr-clrnoassemblyLNclr:netcoreZWMPMPlowpriSaw_ESaw_EPSaw_GmSaw_showIncludesSaw_YcSaw_AnalyzeLogMsyncerrMdebugMbatchdocsrclisterrorreport:prompterrorreport:queueerrorreport:senderrorreport:noneawaitawait:heapelideexternal:env:Bcapture_repro-il%t-typedil-f%f-W1-Zp8-Gs-Ot-Ob0-Fe%b.%X-pc\:/-Fdvc140.pdb-ZM-GS-GR-Zc:forScope-Zc:wchar_t-Xc-ClangMode-ClangXp-Clangstdc17-ClangPredefinedMacros-ClangPredefinedCMacros-ClangPredefinedCppMacros-ClangBuiltinMacros-ClangPredefined32bitMacros-MD-MT-MDd-MTdBk source: is-D0J1E.tmp.3.dr
            Source: Binary string: D:\dbs\sh\ddvsm\0706_100817\cmd\m\out\Intermediate\vset\testsettingsui.csproj_377D1F75\objr\x86\Microsoft.VisualStudio.TestTools.TestSettings.pdb source: is-C4OS4.tmp.3.dr, Microsoft.VisualStudio.TestTools.TestSettings.dll.5.dr
            Source: Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\git.pdb source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\dbs\sh\ddvsm\1001_131954\cmd\1c\out\binaries\amd64ret\bin\amd64\Microsoft.VisualStudio.ResPkg.Internal.pdbBSJB source: is-ETCDK.tmp.3.dr
            Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net6.0-windows/System.Drawing.Common.pdb source: System.Drawing.Common.dll.5.dr
            Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\Git-Credential-Manager.UI.Windows\obj\WindowsRelease\net472\git-credential-manager-ui.pdbSHA256 source: is-S7EOV.tmp.3.dr
            Source: Binary string: .html.pdbgit-credential-helper-selector.exe.exe.bat.cmdCredentialHelperSelectorgit config credential.helperselector.selectedCould not read Git configCould not discover config sourceCould not discover credential helpers source: is-LR8FO.tmp.3.dr
            Source: Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\l\out\Intermediate\Xaml\diagnosticsbase_x86retail_7D88E235\Release\netstandard2.0\Microsoft.VisualStudio.DesignTools.DiagnosticsBase.pdbK source: Microsoft.VisualStudio.DesignTools.DiagnosticsBase.dll.5.dr

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 151.80.89.228:56001 -> 192.168.2.7:49692
            Source: global trafficTCP traffic: 192.168.2.7:49692 -> 151.80.89.228:56001
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
            Source: Setup64.exeString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
            Source: Setup64.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
            Source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
            Source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
            Source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: is-1K65A.tmp.3.dr, is-HJG9A.tmp.3.dr, is-RM1O5.tmp.3.dr, npdeployJava1.dll.5.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
            Source: Setup64.exeString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
            Source: Setup64.exeString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
            Source: Setup64.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
            Source: Setup64.exeString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
            Source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
            Source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
            Source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: jsc.exe, 00000006.00000002.2105719208.00000000010B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: jsc.exe, 00000006.00000002.2114519401.0000000005570000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: is-RM1O5.tmp.3.dr, npdeployJava1.dll.5.drString found in binary or memory: http://download.oracle.com/otn-pub/java/javafx/javafx-windows-x64__Vlatest.exehttp://getjfx.us.oracl
            Source: is-RM1O5.tmp.3.dr, npdeployJava1.dll.5.drString found in binary or memory: http://javadl.oracle.com/webapps/download/AutoDL%s?BundleId=%s%s%stmp%s.0http://javadl.oracle.com/we
            Source: EntityFramework.resources.dll.5.drString found in binary or memory: http://msdn.com/data/ef
            Source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://ocsp.digicert.com0O
            Source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: is-1K65A.tmp.3.dr, is-HJG9A.tmp.3.dr, is-RM1O5.tmp.3.dr, npdeployJava1.dll.5.drString found in binary or memory: http://ocsp.thawte.com0
            Source: Setup64.exeString found in binary or memory: http://ocsps.ssl.com0
            Source: Setup64.exeString found in binary or memory: http://ocsps.ssl.com0?
            Source: Setup64.exeString found in binary or memory: http://ocsps.ssl.com0P
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://s2.symcb.com0
            Source: jsc.exe, 00000006.00000002.2107567857.00000000031C7000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://sv.symcb.com/sv.crl0a
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://sv.symcb.com/sv.crt0
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://sv.symcd.com0&
            Source: is-1K65A.tmp.3.dr, is-HJG9A.tmp.3.dr, is-RM1O5.tmp.3.dr, npdeployJava1.dll.5.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: is-1K65A.tmp.3.dr, is-HJG9A.tmp.3.dr, is-RM1O5.tmp.3.dr, npdeployJava1.dll.5.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: is-1K65A.tmp.3.dr, is-HJG9A.tmp.3.dr, is-RM1O5.tmp.3.dr, npdeployJava1.dll.5.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: Setup64.tmp, 00000003.00000003.1020170500.0000000005DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
            Source: AutoIt3.exe, 00000005.00000000.1019965796.0000000000E15000.00000002.00000001.01000000.0000000C.sdmp, AutoIt3.exe, 00000007.00000000.1130030315.00000000005B5000.00000002.00000001.01000000.0000000F.sdmp, AutoIt3.exe, 0000000A.00000000.1210282762.00000000005B5000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/X
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://www.digicert.com/CPS0
            Source: Setup64.exeString found in binary or memory: http://www.innosetup.com/
            Source: Setup64.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
            Source: Setup64.exeString found in binary or memory: http://www.remobjects.com/ps
            Source: Setup64.exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
            Source: Setup64.exeString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://www.symauth.com/cps0(
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://www.symauth.com/rpa00
            Source: is-1K65A.tmp.3.dr, is-HJG9A.tmp.3.drString found in binary or memory: http://www.vmware.com/0
            Source: WzWXFll64.dll.5.drString found in binary or memory: http://www.winzip.com/authenticode.htm0
            Source: System.Drawing.Common.dll.5.drString found in binary or memory: https://aka.ms/binaryformatter
            Source: System.Drawing.Common.dll.5.dr, System.Text.RegularExpressions.dll.5.drString found in binary or memory: https://aka.ms/dotnet-warnings/
            Source: is-FTQVN.tmp.3.drString found in binary or memory: https://aka.ms/gcm/rename
            Source: System.Drawing.Common.dll.5.drString found in binary or memory: https://aka.ms/serializationformat-binary-obsolete
            Source: System.Drawing.Common.dll.5.drString found in binary or memory: https://aka.ms/systemdrawingnonwindows
            Source: WzWXFll64.dll.5.drString found in binary or memory: https://d.symcb.com/cps0%
            Source: WzWXFll64.dll.5.drString found in binary or memory: https://d.symcb.com/rpa0
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
            Source: System.Text.RegularExpressions.dll.5.drString found in binary or memory: https://github.com/dotnet/linker/issues/2715.
            Source: System.Drawing.Common.dll.5.dr, System.Text.RegularExpressions.dll.5.drString found in binary or memory: https://github.com/dotnet/runtime
            Source: Setup64.tmp, 00000003.00000003.1020170500.0000000005DE0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/git-for-windows/git/issues/new
            Source: Microsoft.WinForms.DesignTools.Protocol.dll.5.drString found in binary or memory: https://github.com/microsoft/winforms-designer
            Source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
            Source: is-RC4GU.tmp.3.dr, is-APTBV.tmp.3.drString found in binary or memory: https://tukaani.org/
            Source: is-APTBV.tmp.3.drString found in binary or memory: https://tukaani.org/xz/
            Source: is-APTBV.tmp.3.drString found in binary or memory: https://tukaani.org/xz/XZ
            Source: WzWXFll64.dll.5.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: Setup64.exeString found in binary or memory: https://www.ssl.com/repository0

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 6928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 6112, type: MEMORYSTR
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_013941186_2_01394118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_013922406_2_01392240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_013925786_2_01392578
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_013944786_2_01394478
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_01390CD06_2_01390CD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_01390FA86_2_01390FA8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_013910596_2_01391059
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_013940EF6_2_013940EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_013922F16_2_013922F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_013915126_2_01391512
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_013944686_2_01394468
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_013919FE6_2_013919FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_013918FE6_2_013918FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_01399B386_2_01399B38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_01399B316_2_01399B31
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_01390F9A6_2_01390F9A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_01390FE26_2_01390FE2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0527A5A86_2_0527A5A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_052786686_2_05278668
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_052733F86_2_052733F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_052756A06_2_052756A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0527DEC06_2_0527DEC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_052738E56_2_052738E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0527BA906_2_0527BA90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0529F5106_2_0529F510
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_052935B06_2_052935B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_052947816_2_05294781
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0551BEF06_2_0551BEF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0551BEE06_2_0551BEE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_055169C86_2_055169C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0551D9976_2_0551D997
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0551D9A86_2_0551D9A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_055182C06_2_055182C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_055182AF6_2_055182AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05567D186_2_05567D18
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_055689306_2_05568930
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_055680606_2_05568060
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0556B8A06_2_0556B8A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0556DB826_2_0556DB82
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0556DC5A6_2_0556DC5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0556D72E6_2_0556D72E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0556D6506_2_0556D650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0556D6476_2_0556D647
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0556B1D56_2_0556B1D5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_055621886_2_05562188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_055600406_2_05560040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_055600066_2_05560006
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0556B8906_2_0556B890
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0556DB8B6_2_0556DB8B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE22408_2_02EE2240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE41188_2_02EE4118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE44788_2_02EE4478
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE25788_2_02EE2578
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE0FA88_2_02EE0FA8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE0CD08_2_02EE0CD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE22F18_2_02EE22F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE10598_2_02EE1059
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE44688_2_02EE4468
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE15128_2_02EE1512
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE9A3C8_2_02EE9A3C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE9B388_2_02EE9B38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE18FE8_2_02EE18FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE19FE8_2_02EE19FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE0FE28_2_02EE0FE2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_02EE0F9A8_2_02EE0F9A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_0574A5A88_2_0574A5A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_057486688_2_05748668
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_057433F88_2_057433F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_057456A08_2_057456A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_0574DEC08_2_0574DEC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_057438E58_2_057438E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_0574BA908_2_0574BA90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_0576F5108_2_0576F510
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_057635B08_2_057635B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_057647818_2_05764781
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_0581BEE08_2_0581BEE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_0581BEF08_2_0581BEF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_0581D9808_2_0581D980
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_0581D9A88_2_0581D9A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_058169C88_2_058169C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_058182AF8_2_058182AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_058182C08_2_058182C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_058621888_2_05862188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_058600078_2_05860007
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_058600408_2_05860040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D1224015_2_02D12240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D1411815_2_02D14118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D1447815_2_02D14478
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D1257815_2_02D12578
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D10FA815_2_02D10FA8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D10CD015_2_02D10CD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D122F115_2_02D122F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D1105915_2_02D11059
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D1446815_2_02D14468
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D1151215_2_02D11512
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D19A6715_2_02D19A67
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D19B3815_2_02D19B38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D118FE15_2_02D118FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D119FE15_2_02D119FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D10FE215_2_02D10FE2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_02D10F9A15_2_02D10F9A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0573A5A815_2_0573A5A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0573866815_2_05738668
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_057333F815_2_057333F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_057356A015_2_057356A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0573DEC015_2_0573DEC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_057338E515_2_057338E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0573BA9015_2_0573BA90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0575F51015_2_0575F510
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_057535B015_2_057535B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0575478115_2_05754781
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0580BEE015_2_0580BEE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0580BEF015_2_0580BEF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0580D98015_2_0580D980
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0580D9A815_2_0580D9A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_058069C815_2_058069C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_058082AF15_2_058082AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_058082C015_2_058082C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0585218815_2_05852188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0585000715_2_05850007
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0585004015_2_05850040
            Source: Joe Sandbox ViewDropped File: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe 1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
            Source: Setup64.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: Setup64.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
            Source: Setup64.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: Setup64.tmp.2.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
            Source: is-M78DK.tmp.3.drStatic PE information: Number of sections : 12 > 10
            Source: is-J916S.tmp.3.drStatic PE information: No import functions for PE file found
            Source: Setup64.exe, 00000000.00000003.859715306.000000007FE42000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Setup64.exe
            Source: Setup64.exeBinary or memory string: OriginalFilenameshfolder.dll~/ vs Setup64.exe
            Source: Setup64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: is-JEA8V.tmp.3.drBinary string: \Device\LanmanRedirector\
            Source: is-JEA8V.tmp.3.drBinary string: \Device\H
            Source: is-JEA8V.tmp.3.drBinary string: \Device\LanmanRedirector\;%c:%d\%s
            Source: is-JEA8V.tmp.3.drBinary string: \Device\LanmanRedirector\\Device\LanmanRedirector\;%c:%d\%sbasic_string::append\??\ntdll.dllNtQuerySystemInformationNtQueryObjectNtQueryInformationThreadNtQueryInformationFileNtQueryInformationProcessNtQuerySystemInformation: 0x%lx
            Source: is-C4OS4.tmp.3.dr, Microsoft.VisualStudio.TestTools.TestSettings.dll.5.drBinary or memory string: D:\dbs\sh\ddvsm\0706_100817\cmd\m\out\Intermediate\vset\testsettingsui.csproj_377D1F75\objr\x86\Microsoft.VisualStudio.TestTools.TestSettings.pdb
            Source: classification engineClassification label: mal58.troj.spyw.evad.winEXE@17/126@0/1
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMutant created: NULL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMutant created: \Sessions\1\BaseNamedObjects\84f4929d999d
            Source: C:\Users\user\Desktop\Setup64.exeFile created: C:\Users\user~1\AppData\Local\Temp\is-SP439.tmpJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: Setup64.exeVirustotal: Detection: 12%
            Source: Setup64.exeReversingLabs: Detection: 15%
            Source: Setup64.exeString found in binary or memory: /LOADINF="filename"
            Source: Setup64.exeString found in binary or memory: {userappdata}\{{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-helper-selector.exe
            Source: Setup64.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
            Source: Setup64.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
            Source: Setup64.exeString found in binary or memory: /LoadInf=
            Source: Setup64.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
            Source: C:\Users\user\Desktop\Setup64.exeFile read: C:\Users\user\Desktop\Setup64.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Setup64.exe "C:\Users\user\Desktop\Setup64.exe"
            Source: C:\Users\user\Desktop\Setup64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmp "C:\Users\user~1\AppData\Local\Temp\is-SP439.tmp\Setup64.tmp" /SL5="$203A4,8170310,119296,C:\Users\user\Desktop\Setup64.exe"
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpProcess created: C:\Users\user\Desktop\Setup64.exe "C:\Users\user\Desktop\Setup64.exe" /VERYSILENT
            Source: C:\Users\user\Desktop\Setup64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmp "C:\Users\user~1\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmp" /SL5="$203A8,8170310,119296,C:\Users\user\Desktop\Setup64.exe" /VERYSILENT
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpProcess created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe "C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe" randomized.a3x
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            Source: unknownProcess created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\randomized.a3x"
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            Source: unknownProcess created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\randomized.a3x"
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            Source: C:\Users\user\Desktop\Setup64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmp "C:\Users\user~1\AppData\Local\Temp\is-SP439.tmp\Setup64.tmp" /SL5="$203A4,8170310,119296,C:\Users\user\Desktop\Setup64.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpProcess created: C:\Users\user\Desktop\Setup64.exe "C:\Users\user\Desktop\Setup64.exe" /VERYSILENTJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmp "C:\Users\user~1\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmp" /SL5="$203A8,8170310,119296,C:\Users\user\Desktop\Setup64.exe" /VERYSILENTJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpProcess created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe "C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe" randomized.a3xJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: version.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: version.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpWindow found: window name: TMainFormJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Setup64.exeStatic PE information: certificate valid
            Source: Setup64.exeStatic file information: File size 9429584 > 1048576
            Source: Setup64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\shared\Git-Credential-Manager\obj\WindowsRelease\net472\win-x86\git-credential-manager.pdbSHA2567 source: is-FTQVN.tmp.3.dr
            Source: Binary string: D:\dbs\sh\ddvsm\1001_131954\cmd\1c\out\binaries\amd64ret\bin\amd64\Microsoft.VisualStudio.ResPkg.Internal.pdb source: is-ETCDK.tmp.3.dr
            Source: Binary string: /_/artifacts/obj/Microsoft.WinForms.DesignTools.Protocol/Release/netcoreapp3.1/Microsoft.WinForms.DesignTools.Protocol.pdb source: Microsoft.WinForms.DesignTools.Protocol.dll.5.dr
            Source: Binary string: F:\NMC\CURRENT260IL1nightlyBuild15061_final\Libraries\WzWXF\Providers\WzWXFCloud\w64prod\WzWXFll64.pdb@P source: WzWXFll64.dll.5.dr
            Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\shared\Git-Credential-Manager\obj\WindowsRelease\net472\win-x86\git-credential-manager.pdb source: is-FTQVN.tmp.3.dr
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\cpfecl.Linux.x86.pdbGCTL source: is-D0J1E.tmp.3.dr
            Source: Binary string: System.Text.RegularExpressions.ni.pdb source: System.Text.RegularExpressions.dll.5.dr
            Source: Binary string: System.Drawing.Common.ni.pdb source: System.Drawing.Common.dll.5.dr
            Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\Git-Credential-Manager.UI.Windows\obj\WindowsRelease\net472\git-credential-manager-ui.pdb source: is-S7EOV.tmp.3.dr
            Source: Binary string: msitss55.pdb source: msitss55.dll.5.dr
            Source: Binary string: C:\JDK7U2~1\jdk7u17\build\windows-amd64\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdb source: is-RM1O5.tmp.3.dr, npdeployJava1.dll.5.dr
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\cpfecl.Linux.x86.pdb source: is-D0J1E.tmp.3.dr
            Source: Binary string: F:\NMC\CURRENT260IL1nightlyBuild15061_final\Libraries\WzWXF\Providers\WzWXFCloud\w64prod\WzWXFll64.pdb source: WzWXFll64.dll.5.dr
            Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net6.0-windows/System.Drawing.Common.pdbSHA256 source: System.Drawing.Common.dll.5.dr
            Source: Binary string: D:\a\_work\1\s\artifacts\obj\System.Text.RegularExpressions\Release\net7.0\System.Text.RegularExpressions.pdb source: System.Text.RegularExpressions.dll.5.dr
            Source: Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\l\out\Intermediate\Xaml\diagnosticsbase_x86retail_7D88E235\Release\netstandard2.0\Microsoft.VisualStudio.DesignTools.DiagnosticsBase.pdb source: Microsoft.VisualStudio.DesignTools.DiagnosticsBase.dll.5.dr
            Source: Binary string: /_/artifacts/obj/Microsoft.WinForms.DesignTools.Protocol/Release/netcoreapp3.1/Microsoft.WinForms.DesignTools.Protocol.pdbSHA256 source: Microsoft.WinForms.DesignTools.Protocol.dll.5.dr
            Source: Binary string: Unknown exceptionbad array new lengthstring too longNULLPATH exsyglindbmdlk\DFoFebAbabDbDEbcbCrtbdbEbFdbhBibilbmbobxbpbrbtbUbubvBCBkBreproexperimental:deterministicBtBt+BdBUIastfe:Baanalyze:Bnanalyze:logBzBvBYFmFCforceZ7GLbLTCGDBLDLDdopenmpXFdGmFRFrkernelarchSSEarchSSE2archAVXarchAVX2d2MPXZiZ7ZIZXGiZmZMclrclr-clrnoassemblyLNclr:netcoreZWMPMPlowpriSaw_ESaw_EPSaw_GmSaw_showIncludesSaw_YcSaw_AnalyzeLogMsyncerrMdebugMbatchdocsrclisterrorreport:prompterrorreport:queueerrorreport:senderrorreport:noneawaitawait:heapelideexternal:env:Bcapture_repro-il%t-typedil-f%f-W1-Zp8-Gs-Ot-Ob0-Fe%b.%X-pc\:/-Fdvc140.pdb-ZM-GS-GR-Zc:forScope-Zc:wchar_t-Xc-ClangMode-ClangXp-Clangstdc17-ClangPredefinedMacros-ClangPredefinedCMacros-ClangPredefinedCppMacros-ClangBuiltinMacros-ClangPredefined32bitMacros-MD-MT-MDd-MTdBk source: is-D0J1E.tmp.3.dr
            Source: Binary string: D:\dbs\sh\ddvsm\0706_100817\cmd\m\out\Intermediate\vset\testsettingsui.csproj_377D1F75\objr\x86\Microsoft.VisualStudio.TestTools.TestSettings.pdb source: is-C4OS4.tmp.3.dr, Microsoft.VisualStudio.TestTools.TestSettings.dll.5.dr
            Source: Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\git.pdb source: Setup64.tmp, 00000003.00000003.1020170500.000000000614C000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\dbs\sh\ddvsm\1001_131954\cmd\1c\out\binaries\amd64ret\bin\amd64\Microsoft.VisualStudio.ResPkg.Internal.pdbBSJB source: is-ETCDK.tmp.3.dr
            Source: Binary string: /_/artifacts/obj/System.Drawing.Common/Release/net6.0-windows/System.Drawing.Common.pdb source: System.Drawing.Common.dll.5.dr
            Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\Git-Credential-Manager.UI.Windows\obj\WindowsRelease\net472\git-credential-manager-ui.pdbSHA256 source: is-S7EOV.tmp.3.dr
            Source: Binary string: .html.pdbgit-credential-helper-selector.exe.exe.bat.cmdCredentialHelperSelectorgit config credential.helperselector.selectedCould not read Git configCould not discover config sourceCould not discover credential helpers source: is-LR8FO.tmp.3.dr
            Source: Binary string: D:\dbs\sh\ddvsm\0706_100817_0\cmd\l\out\Intermediate\Xaml\diagnosticsbase_x86retail_7D88E235\Release\netstandard2.0\Microsoft.VisualStudio.DesignTools.DiagnosticsBase.pdbK source: Microsoft.VisualStudio.DesignTools.DiagnosticsBase.dll.5.dr
            Source: is-HMTVJ.tmp.3.drStatic PE information: 0xA01E5A34 [Mon Feb 15 22:35:32 2055 UTC]
            Source: is-DPNV3.tmp.3.drStatic PE information: section name: ENGINE
            Source: is-M78DK.tmp.3.drStatic PE information: section name: .rodata
            Source: is-M78DK.tmp.3.drStatic PE information: section name: .xdata
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0524C351 push eax; ret 6_2_0524C35D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_052412E8 push esp; retf 6_2_05241305
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_052779A8 push eax; ret 6_2_052779A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_05298D38 pushad ; retf 6_2_05298D39
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_0556119A push esp; iretd 6_2_055611A1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 6_2_060D073B push ebx; retf 6_2_060D074A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_057479A8 push eax; ret 8_2_057479A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05768D38 pushad ; retf 8_2_05768D39
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_0576AC37 push edx; ret 8_2_0576AC5B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_05762E1B push eax; retf 8_2_05762E25
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_0586119B push esp; iretd 8_2_058611A1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_054F137E push 9C0118B6h; retf 15_2_054F1395
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_054F12E7 push esp; retf 15_2_054F1305
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_057379A8 push eax; ret 15_2_057379A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_05758D38 pushad ; retf 15_2_05758D39
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0575DE33 push es; ret 15_2_0575DE35
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_05752E1B push eax; retf 15_2_05752E25
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0575DE88 push es; ret 15_2_0575DE89
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_05801185 push edx; iretd 15_2_058011BB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_058011BC push ebx; iretd 15_2_058011C3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_058011C4 push ebx; iretd 15_2_058011CB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_058011ED push ebp; iretd 15_2_05801203
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_058011F5 push ebp; iretd 15_2_058011FB
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_058011FC push ebp; iretd 15_2_05801203
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_05801237 push esi; iretd 15_2_0580123B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0580123C push esi; iretd 15_2_05801243
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 15_2_0585119B push esp; iretd 15_2_058511A1
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.DesignTools.DiagnosticsBase.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\msys-p11-kit-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-Q64M4.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\cpfecl.Linux.x86.dll (copy)Jump to dropped file
            Source: C:\Users\user\Desktop\Setup64.exeFile created: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-HJG9A.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\msenvui.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-N3E27.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msys-p11-kit-0.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-DSKNB.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\mswb70011.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-N7UR4.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\WzWXFll64.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-S7EOV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\edit_test_dll.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\kdeltkt.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.VisualStudio.DesignTools.DiagnosticsBase.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\System.Drawing.Common.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-KO986.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-PJ2HB.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-RMSCD.tmp\_isetup\_iscrypt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-CV97J.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\x86_64-w64-mingw32-agrep.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\libnettle-8.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\unxz.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\System.ComponentModel.Composition.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\msys-asn1-8.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\mc_dec_dv.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.VisualStudio.ExtensionManager.Implementation.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-2J0LP.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-NENS8.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-D0J1E.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msitss55.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\klist.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\WhoUses.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\npdeployJava1.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-34CB2.tmpJump to dropped file
            Source: C:\Users\user\Desktop\Setup64.exeFile created: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\p11-kit.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-J916S.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.Azure.Management.EventHub.Fluent.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-I16ON.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-GH2KI.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-JEA8V.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\cpfecl.Linux.x86.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-E59J6.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.VisualStudio.Shell.ViewManager.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\mswb70011.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-APTBV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\EXPSRV.DLL (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-IMD56.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-C4OS4.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\WzWXFll64.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.TestTools.TestSettings.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.ComponentModel.Composition.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.Drawing.Common.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-T3DIJ.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-FTQVN.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.WinForms.DesignTools.Protocol.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-RC4GU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\odt2txt.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.VisualStudio.TestTools.TestSettings.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-M78DK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.Shell.ViewManager.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\EntityFramework.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-JNVLL.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-U3H40.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.Diagnostics.NETCore.Client.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-B62NI.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\OverDrive.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-upload-pack.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\EXPSRV.DLLJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-HMTVJ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-manager-core.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-1K65A.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-RMSCD.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-T3DIJ.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-P7OU0.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-helper-selector.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-74V5R.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\OverDrive.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.VisualStudio.ResPkg.Internal.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\EntityFramework.resources.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\System.Workflow.Activities.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\npdeployJava1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-R0NG3.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.Azure.Management.EventHub.Fluent.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.Workflow.Activities.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.ResPkg.Internal.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.Diagnostics.NETCore.Client.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\libnettle-8.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\mc_dec_dv.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-RM1O5.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-DPNV3.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\gss-client.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-PQNNO.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-manager-ui.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.Text.RegularExpressions.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-4IKO7.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msys-asn1-8.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-D74UP.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-ETCDK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.ExtensionManager.Implementation.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-LR8FO.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-RMSCD.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-NED1E.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Newtonsoft.Json.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-2KVVB.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\System.Text.RegularExpressions.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\lzmadec.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msenvui.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\msitss55.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-U2NUP.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-T3DIJ.tmp\_isetup\_iscrypt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.WinForms.DesignTools.Protocol.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-manager.exe (copy)Jump to dropped file

            Boot Survival

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 6928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 6112, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce randomizedJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce randomizedJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce randomizedJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce randomizedJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 6928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 6112, type: MEMORYSTR
            Queries memory information (via WMI often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
            Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
            Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 1390000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 4CE0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 3050000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2E50000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 4E50000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 5010Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 4745Jump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\msys-p11-kit-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.DesignTools.DiagnosticsBase.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\cpfecl.Linux.x86.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-Q64M4.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-HJG9A.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\msenvui.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-N3E27.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msys-p11-kit-0.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-DSKNB.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\mswb70011.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\WzWXFll64.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-N7UR4.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-S7EOV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\edit_test_dll.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\kdeltkt.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.VisualStudio.DesignTools.DiagnosticsBase.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\System.Drawing.Common.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-KO986.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-RMSCD.tmp\_isetup\_iscrypt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-CV97J.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\x86_64-w64-mingw32-agrep.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\libnettle-8.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\unxz.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\System.ComponentModel.Composition.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\msys-asn1-8.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.VisualStudio.ExtensionManager.Implementation.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\mc_dec_dv.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-2J0LP.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-NENS8.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msitss55.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-D0J1E.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\klist.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\WhoUses.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\npdeployJava1.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-34CB2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\p11-kit.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.Azure.Management.EventHub.Fluent.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-J916S.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-I16ON.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-GH2KI.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-JEA8V.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\cpfecl.Linux.x86.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-E59J6.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.VisualStudio.Shell.ViewManager.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\mswb70011.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-APTBV.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\EXPSRV.DLL (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-C4OS4.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-IMD56.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\WzWXFll64.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.Drawing.Common.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.ComponentModel.Composition.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.TestTools.TestSettings.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-T3DIJ.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-FTQVN.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.WinForms.DesignTools.Protocol.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-RC4GU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\odt2txt.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.VisualStudio.TestTools.TestSettings.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-M78DK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.Shell.ViewManager.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\EntityFramework.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-JNVLL.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-U3H40.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.Diagnostics.NETCore.Client.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-B62NI.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\OverDrive.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-upload-pack.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\EXPSRV.DLLJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-HMTVJ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-manager-core.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-1K65A.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-RMSCD.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-T3DIJ.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-helper-selector.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-P7OU0.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\OverDrive.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-74V5R.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.VisualStudio.ResPkg.Internal.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\System.Workflow.Activities.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\EntityFramework.resources.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\npdeployJava1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-R0NG3.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Microsoft.Azure.Management.EventHub.Fluent.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.Workflow.Activities.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.ResPkg.Internal.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.Diagnostics.NETCore.Client.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\libnettle-8.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\mc_dec_dv.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-RM1O5.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-DPNV3.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\gss-client.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-PQNNO.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-manager-ui.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.Text.RegularExpressions.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-4IKO7.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msys-asn1-8.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-D74UP.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-ETCDK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.ExtensionManager.Implementation.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-LR8FO.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-RMSCD.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-NED1E.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Newtonsoft.Json.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-2KVVB.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\System.Text.RegularExpressions.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\lzmadec.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msenvui.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\msitss55.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-U2NUP.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-T3DIJ.tmp\_isetup\_iscrypt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.WinForms.DesignTools.Protocol.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-manager.exe (copy)Jump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7104Thread sleep count: 32 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7104Thread sleep time: -29514790517935264s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7104Thread sleep time: -31000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7144Thread sleep count: 5010 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7104Thread sleep time: -30813s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7144Thread sleep count: 4745 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7104Thread sleep time: -30672s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7104Thread sleep time: -30494s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7104Thread sleep time: -30382s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7104Thread sleep time: -30259s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7104Thread sleep time: -30156s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 7104Thread sleep time: -30047s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5624Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 5920Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 31000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 30813Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 30672Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 30494Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 30382Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 30259Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 30156Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 30047Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: AutoIt3.exe, 0000000A.00000003.1306839894.0000000003B02000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 0000000A.00000003.1306706654.0000000003AF9000.00000004.00000020.00020000.00000000.sdmp, AutoIt3.exe, 0000000A.00000003.1306770581.0000000003AFA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TAGEZJNAHHGFSX
            Source: is-HJG9A.tmp.3.drBinary or memory string: VMware, Inc.1>0<
            Source: AutoIt3.exe, 0000000A.00000003.1212988363.0000000003325000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @UVMCIG3 tbheeszjsh
            Source: jsc.exe, 00000006.00000002.2105719208.00000000010B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
            Source: is-HJG9A.tmp.3.drBinary or memory string: http://www.vmware.com/0
            Source: AutoIt3.exe, 0000000A.00000003.1309104355.00000000037AD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZPUZXPXK_ZPJZXZOJ_OHTVMCIIQ
            Source: Setup64.tmp, 00000001.00000002.867515088.000000000086B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: is-HJG9A.tmp.3.drBinary or memory string: VMware, Inc.0
            Source: C:\Users\user\AppData\Local\Temp\is-0BRO5.tmp\Setup64.tmpProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: D70000 protect: page execute and read and writeJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: D70000 protect: page execute and read and writeJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: D60000 protect: page execute and read and writeJump to behavior
            Detected PureCrypter Trojan
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 151.80.89.228MIIE6jCCAtKgAwIBAgIQAIz7ti31iLXCGWvZRMysUTANBgkqhkiG9w0BAQ0FADAWMRQwEgYDVQQDDAtJZnp0YW9yZW5oeDAgFw0yNTAxMDkyMzAyMzRaGA85OTk5MTIzMTIzNTk1OVowFjEUMBIGA1UEAwwLSWZ6dGFvcmVuaHgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ/igtswXITod6eGGJzKxJqTxQ8nTbLujhtl9v6RnFixeRlkkCfA8Y0R2U/KEerSwr361AQubsJxu+zt31Zf47erUjwGDRNS3ayR8S2Y9JHFIQfgSaVBXIqCndHrNhnIJjm/6m0CiwmtGcGbRljY+h6r0T9QCU93app6Ptkbcj5WFjfowPuON1nObMv55JVJMHDqYAGixssTEwbyzc4A8XDW6nkHd3C3brr02SahG/MYAErhgYoXqHe9xyVZlKa3DgLK2LHxpa/2dLJs9DidIc2jjYGv6PucbAZgAK6NIDXIwd8AVIoESdpd4i6kU+XfPl0kg/NmGAkuy+vTiUkvETyGiUwoX/fYh6ek3AvDbTp+LR+gMfviYL2H6iEJQ1fj8uExG1pn5R3JOIy6EfQulSQDIqSjFIo0Y0yEqj63KCcSqiLLMF1NCgpEbEmhMu003yZduwCc2p5OS9fjeF4UJaayV3G1QsMTVa4bGCdQBZ1w+GoTdh8g8rBHbHRpzLKVJ+9gOH8EZqqgNVriTUkgJRJrx43gS0rkRCGtpSkSK69vFSl3iy8J+Dt5IvMZ7pwLysIiwRuo/67fi6isYMXl/Qi3dablet1tDly1a4pY5ZSRI/eiQ2xFHNIaLzh3LYVRLgKEJvGwpLP80fX7ysdqliGY1+Nv0MmdfDpS6xCHP7gwIDAQABozIwMDAdBgNVHQ4EFgQUxn8bCqajKgK0YyBdVNxPZKLT+sswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAu8znn0d0wM3PYQFXxQCBAfArgwTKrjrvr5j3s6Zc4//UfRWBras18WXDoLMWpVKJUR7Up5/pyCF+L24bjxlas8qi2tG2f6qlTX4XXRPtA6LWNtjekyOxJPj0E6j7t7ZaDW+Jk5yqHKdI7UM+O++MUpJ10Q3x9uBQxEeciG9nSWX4Gho+yFD63v/R1lwoXS2jJXBXyA4HijO7MUfHY5gqPz3oeTAyHIGj1HmAsc5xlrMzpFc65LwBZJVzm4yWmkF/kdEVfTL8vCD4WGUFy5yBKz4bHtef9g1Qo+riIHk9FN4cJYeZh6ynQ8d6VWF3QvHWLGW4Idq7E3PZ2ucOIOkwH+8SLSiRIdUAWF32ZS1DnzSlX4oVM4KabyEjIE0BE5DYJrt066TG2rPTejU7OCxYBnfd5t5xOIrUpm42g6x4nGdyL9FyKxXcOQ6wGxH6i2diQbnfelW2iHfa51hCBqr1RPGY02kjlGV77O1JsAzBOZT7yrdwys+6Wu3a6xuWaNFyMTjHFmFZwTBP6oFZmK6k9W+AqrbLIdLs04QJuHJNVuoTB1mw7+5zl7ZiEcRDO8SxHhi22ezhP0OggSUFLp0ExU0WBcadbppvVwS5UAylAaFa4vvdZ5W4SoCxPt/N7hOaAtZGFf5F3pSwDxAGpWiXUzSBmPRwxO0IxF8Bh0xBzL0="Default:BAPPDATAJ84f4929d999d
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: D70000 value starts with: 4D5AJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: D70000 value starts with: 4D5AJump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: D60000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: D70000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: BE4000Jump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: D70000Jump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: E47000Jump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: D60000Jump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: F5A000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-SP439.tmp\Setup64.tmpProcess created: C:\Users\user\Desktop\Setup64.exe "C:\Users\user\Desktop\Setup64.exe" /VERYSILENTJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
            Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
            Source: AutoIt3.exe, 00000005.00000000.1019902741.0000000000E01000.00000002.00000001.01000000.0000000C.sdmp, AutoIt3.exe, 00000007.00000000.1129886598.00000000005A1000.00000002.00000001.01000000.0000000F.sdmp, AutoIt3.exe, 0000000A.00000000.1210156006.00000000005A1000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002FFD000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000006.00000002.2107567857.000000000302B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000006.00000002.2116340416.0000000006220000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000006.00000002.2107567857.0000000002FFD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager*
            Source: jsc.exe, 00000006.00000002.2107567857.000000000302B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 6928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 6112, type: MEMORYSTR
            Source: Setup64.exe, 00000000.00000003.868328816.00000000009BA000.00000004.00001000.00020000.00000000.sdmp, Setup64.tmp, 00000001.00000003.863268367.000000000230E000.00000004.00001000.00020000.00000000.sdmp, Setup64.tmp, 00000001.00000003.863268367.00000000022A0000.00000004.00001000.00020000.00000000.sdmp, Setup64.exe, 00000002.00000003.1027192543.0000000002291000.00000004.00001000.00020000.00000000.sdmp, Setup64.tmp, 00000003.00000003.1023830295.00000000032E2000.00000004.00001000.00020000.00000000.sdmp, Setup64.tmp, 00000003.00000003.1024136998.0000000002288000.00000004.00001000.00020000.00000000.sdmp, Setup64.tmp, 00000003.00000003.1024136998.00000000022F4000.00000004.00001000.00020000.00000000.sdmp, Setup64.tmp, 00000003.00000003.1024136998.00000000022FC000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgui.exe
            Source: jsc.exe, 00000006.00000002.2105719208.00000000010B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q com.liberty.jaxx
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q7C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q4C:\Users\user\AppData\Roaming\Ethereum\keystore
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
            Source: jsc.exe, 00000006.00000002.2107567857.0000000002F19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: keystore
            Tries to harvest and steal Bitcoin Wallet information
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
            Source: Yara matchFile source: 00000008.00000002.1363461241.0000000003082000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.2107567857.0000000002D04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 6928, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 6112, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		312
            Process Injection            		1
            Masquerading            		OS Credential Dumping431
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		341
            Virtualization/Sandbox Evasion            		Security Account Manager341
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            PowerShell            		Login Hook1
            DLL Side-Loading            		312
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            System Owner/User Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Obfuscated Files or Information            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Timestomp            		DCSync223
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1633383 Sample: Setup64.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 58 73 Suricata IDS alerts for network traffic 2->73 75 Antivirus / Scanner detection for submitted sample 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 2 other signatures 2->79 10 Setup64.exe 2 2->10         started        13 AutoIt3.exe 2->13         started        16 AutoIt3.exe 2->16         started        process3 file4 47 C:\Users\user\AppData\Local\...\Setup64.tmp, PE32 10->47 dropped 18 Setup64.tmp 3 13 10->18         started        89 Writes to foreign memory regions 13->89 91 Allocates memory in foreign processes 13->91 93 Injects a PE file into a foreign processes 13->93 21 jsc.exe 3 13->21         started        23 jsc.exe 2 16->23         started        signatures5 process6 file7 39 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 18->39 dropped 41 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->41 dropped 43 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->43 dropped 25 Setup64.exe 2 18->25         started        process8 file9 45 C:\Users\user\AppData\Local\...\Setup64.tmp, PE32 25->45 dropped 28 Setup64.tmp 5 58 25->28         started        process10 file11 49 C:\Users\user\AppData\...\AutoIt3.exe (copy), PE32 28->49 dropped 51 C:\Users\user\...\npdeployJava1.dll (copy), PE32+ 28->51 dropped 53 C:\Users\user\...\msys-p11-kit-0.dll (copy), PE32+ 28->53 dropped 55 84 other files (none is malicious) 28->55 dropped 31 AutoIt3.exe 1 30 28->31         started        process12 file13 57 C:\...\AutoIt3.exe, PE32 31->57 dropped 59 C:\...\npdeployJava1.dll, PE32+ 31->59 dropped 61 C:\...\msys-p11-kit-0.dll, PE32+ 31->61 dropped 63 24 other files (none is malicious) 31->63 dropped 67 Writes to foreign memory regions 31->67 69 Allocates memory in foreign processes 31->69 71 Injects a PE file into a foreign processes 31->71 35 jsc.exe 2 31->35         started        signatures14 process15 dnsIp16 65 151.80.89.228, 49692, 56001 OVHFR Italy 35->65 81 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 35->81 83 Found many strings related to Crypto-Wallets (likely being stolen) 35->83 85 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 35->85 87 4 other signatures 35->87 signatures17

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.