Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Setup64.exe

Overview

General Information

Sample name:Setup64.exe
Analysis ID:1633383
MD5:4d091a9b11bbe7d8c68951b9780a92ea
SHA1:c0684053ee4b6d22d469bdb51436bfc45cf31e3b
SHA256:5a720bf1f2099c701a7bffba78c0c50288984e10b24b32c110e570c787674a50
Infos:

Detection

PureCrypter, AsyncRAT
Score:52
Range:0 - 100
Confidence:100%

Compliance

Score:47
Range:0 - 100

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Allocates memory in foreign processes
Detected PureCrypter Trojan
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Tries to harvest and steal Bitcoin Wallet information
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries keyboard layouts
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64native
  • Setup64.exe (PID: 6904 cmdline: "C:\Users\user\Desktop\Setup64.exe" MD5: 4D091A9B11BBE7D8C68951B9780A92EA)
    • Setup64.tmp (PID: 1164 cmdline: "C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmp" /SL5="$2046A,8170310,119296,C:\Users\user\Desktop\Setup64.exe" MD5: B1F9D665E52C29972B50D7145D88DCE1)
      • Setup64.exe (PID: 5588 cmdline: "C:\Users\user\Desktop\Setup64.exe" /VERYSILENT MD5: 4D091A9B11BBE7D8C68951B9780A92EA)
        • Setup64.tmp (PID: 7244 cmdline: "C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmp" /SL5="$2046E,8170310,119296,C:\Users\user\Desktop\Setup64.exe" /VERYSILENT MD5: B1F9D665E52C29972B50D7145D88DCE1)
          • AutoIt3.exe (PID: 8444 cmdline: "C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe" randomized.a3x MD5: 3F58A517F1F4796225137E7659AD2ADB)
            • jsc.exe (PID: 8508 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
  • AutoIt3.exe (PID: 8560 cmdline: "C:\11389406-0377-47ed-98c7-d564e683c6eb\Autoit3.exe" "C:\11389406-0377-47ed-98c7-d564e683c6eb\randomized.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)
    • jsc.exe (PID: 8716 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
  • AutoIt3.exe (PID: 8760 cmdline: "C:\11389406-0377-47ed-98c7-d564e683c6eb\Autoit3.exe" "C:\11389406-0377-47ed-98c7-d564e683c6eb\randomized.a3x" MD5: 3F58A517F1F4796225137E7659AD2ADB)
    • jsc.exe (PID: 8832 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" MD5: 94C8E57A80DFCA2482DEDB87B93D4FD9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PureCrypterAccording to zscaler, PureCrypter is a fully-featured loader being sold since at least March 2021The malware has been observed distributing a variety of remote access trojans and information stealersThe loader is a .NET executable obfuscated with SmartAssembly and makes use of compression, encryption and obfuscation to evade antivirus software productsPureCrypter features provide persistence, injection and defense mechanisms that are configurable in Googles Protocol Buffer message format No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.purecrypter
NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRAT_1Yara detected AsyncRATJoe Security
    0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRAT_1Yara detected AsyncRATJoe Security
        00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: jsc.exe PID: 8508JoeSecurity_AsyncRAT_1Yara detected AsyncRATJoe Security
            Click to see the 3 entries

            Sigma Signatures

            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\11389406-0377-47ed-98c7-d564e683c6eb\Autoit3.exe" "C:\11389406-0377-47ed-98c7-d564e683c6eb\randomized.a3x", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe, ProcessId: 8444, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\randomized
            Sigma detected: Office Macro File Creation
            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe, ProcessId: 8444, TargetFilename: C:\11389406-0377-47ed-98c7-d564e683c6eb\randomized.pptm

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-10T09:49:21.881535+010020283713Unknown Traffic192.168.11.305027823.209.72.8443TCP
            2025-03-10T09:50:25.312978+010020283713Unknown Traffic192.168.11.305028223.209.72.8443TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-03-10T09:49:52.396932+010020355951Domain Observed Used for C2 Detected151.80.89.22856001192.168.11.3050280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Setup64.exeVirustotal: Detection: 12%Perma Link
            Source: Setup64.exeReversingLabs: Detection: 15%

            Compliance

            barindex
            Uses 32bit PE files
            Source: Setup64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            PE / OLE file has a valid certificate
            Source: Setup64.exeStatic PE information: certificate valid
            Contains modern PE file flags such as dynamic base (ASLR) or NX
            Source: Setup64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Binary contains paths to debug symbols
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\cpfecl.Linux.x86.pdb source: cpfecl.Linux.x86.dll.7.dr
            Source: Binary string: D:\dbs\sh\ddvsm\1002_165500_0\cmd\1g\out\Intermediate\env\viewmanager_x86retail_ED4D250F\Release\net472\Microsoft.VisualStudio.Shell.ViewManager.pdb source: is-23SSU.tmp.4.dr, Microsoft.VisualStudio.Shell.ViewManager.dll.7.dr
            Source: Binary string: D:\dbs\sh\ddvsm\1001_131954\cmd\1c\out\binaries\amd64ret\bin\amd64\Microsoft.VisualStudio.ResPkg.Internal.pdb source: Microsoft.VisualStudio.ResPkg.Internal.dll.7.dr, is-JMHCG.tmp.4.dr
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/netstandard2.0/Newtonsoft.Json.pdbSHA256 source: Newtonsoft.Json.dll.7.dr
            Source: Binary string: Unknown exceptionbad array new lengthstring too longNULLPATH exsyglindbmdlk\DFoFebAbabDbDEbcbCrtbdbEbFdbhBibilbmbobxbpbrbtbUbubvBCBkBreproexperimental:deterministicBtBt+BdBUIastfe:Baanalyze:Bnanalyze:logBzBvBYFmFCforceZ7GLbLTCGDBLDLDdopenmpXFdGmFRFrkernelarchSSEarchSSE2archAVXarchAVX2d2MPXZiZ7ZIZXGiZmZMclrclr-clrnoassemblyLNclr:netcoreZWMPMPlowpriSaw_ESaw_EPSaw_GmSaw_showIncludesSaw_YcSaw_AnalyzeLogMsyncerrMdebugMbatchdocsrclisterrorreport:prompterrorreport:queueerrorreport:senderrorreport:noneawaitawait:heapelideexternal:env:Bcapture_repro-il%t-typedil-f%f-W1-Zp8-Gs-Ot-Ob0-Fe%b.%X-pc\:/-Fdvc140.pdb-ZM-GS-GR-Zc:forScope-Zc:wchar_t-Xc-ClangMode-ClangXp-Clangstdc17-ClangPredefinedMacros-ClangPredefinedCMacros-ClangPredefinedCppMacros-ClangBuiltinMacros-ClangPredefined32bitMacros-MD-MT-MDd-MTdBk source: cpfecl.Linux.x86.dll.7.dr
            Source: Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\git.pdb source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\cpfecl.Linux.x86.pdbGCTL source: cpfecl.Linux.x86.dll.7.dr
            Source: Binary string: D:\dbs\sh\ddvsm\1001_131954\cmd\1c\out\binaries\amd64ret\bin\amd64\Microsoft.VisualStudio.ResPkg.Internal.pdbBSJB source: Microsoft.VisualStudio.ResPkg.Internal.dll.7.dr, is-JMHCG.tmp.4.dr
            Source: Binary string: System.Workflow.Activities.pdbL source: is-B4U7K.tmp.4.dr
            Source: Binary string: G:\o14\65_VC8\VBA\R7X64ND\presplit\vbarunjt\obj\expsrv.pdb source: is-NGK02.tmp.4.dr
            Source: Binary string: System.Workflow.Activities.pdb source: is-B4U7K.tmp.4.dr
            Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\Git-Credential-Manager.UI.Windows\obj\WindowsRelease\net472\git-credential-manager-ui.pdbSHA256 source: is-ANH49.tmp.4.dr
            Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\Git-Credential-Manager.UI.Windows\obj\WindowsRelease\net472\git-credential-manager-ui.pdb source: is-ANH49.tmp.4.dr
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/netstandard2.0/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.7.dr
            Source: Binary string: /_/artifacts/obj/Microsoft.Diagnostics.NETCore.Client/Release/netstandard2.0/Microsoft.Diagnostics.NETCore.Client.pdb source: Microsoft.Diagnostics.NETCore.Client.dll.7.dr
            Source: Binary string: C:\JDK7U2~1\jdk7u17\build\windows-amd64\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdb source: npdeployJava1.dll.7.dr
            Source: Binary string: F:\SMGB 5\OverClock\OverClock\Release\OverDrive.pdb source: is-1ON8V.tmp.4.dr
            Source: Binary string: Microsoft.Diagnostics.NETCore.Client.ni.pdb source: Microsoft.Diagnostics.NETCore.Client.dll.7.dr

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert : 151.80.89.228:56001 -> 192.168.11.30:50280
            Source: global trafficTCP traffic: 192.168.11.30:50280 -> 151.80.89.228:56001
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:50282 -> 23.209.72.8:443
            Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:50278 -> 23.209.72.8:443
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: unknownTCP traffic detected without corresponding DNS query: 151.80.89.228
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
            Source: Setup64.exeString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
            Source: Setup64.exeString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
            Source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
            Source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.2124990406376.0000000005100000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: jsc.exe, 00000008.00000002.2124978680788.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
            Source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
            Source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: is-0G37M.tmp.4.dr, npdeployJava1.dll.7.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
            Source: Setup64.exeString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
            Source: Setup64.exeString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
            Source: Setup64.exeString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
            Source: Setup64.exeString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
            Source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
            Source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
            Source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: jsc.exe, 00000008.00000002.2124978680788.0000000000808000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: jsc.exe, 00000008.00000002.2124978680788.0000000000876000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: npdeployJava1.dll.7.drString found in binary or memory: http://download.oracle.com/otn-pub/java/javafx/javafx-windows-x64__Vlatest.exehttp://getjfx.us.oracl
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://epscd.catcert.net/crl/ec-acc.crl0.
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://epscd2.catcert.net/crl/ec-acc.crl0
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://james.newtonking.com/projects/json
            Source: npdeployJava1.dll.7.drString found in binary or memory: http://javadl.oracle.com/webapps/download/AutoDL%s?BundleId=%s%s%stmp%s.0http://javadl.oracle.com/we
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://ocsp.catcert.cat0
            Source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://ocsp.digicert.com0C
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://ocsp.digicert.com0H
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://ocsp.digicert.com0I
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://ocsp.digicert.com0K
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://ocsp.digicert.com0N
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://ocsp.digicert.com0O
            Source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0
            Source: is-0G37M.tmp.4.dr, npdeployJava1.dll.7.drString found in binary or memory: http://ocsp.thawte.com0
            Source: Setup64.exeString found in binary or memory: http://ocsps.ssl.com0
            Source: Setup64.exeString found in binary or memory: http://ocsps.ssl.com0?
            Source: Setup64.exeString found in binary or memory: http://ocsps.ssl.com0P
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002D1A000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: is-0G37M.tmp.4.dr, npdeployJava1.dll.7.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
            Source: is-0G37M.tmp.4.dr, npdeployJava1.dll.7.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
            Source: is-0G37M.tmp.4.dr, npdeployJava1.dll.7.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
            Source: Setup64.tmp, 00000004.00000003.2123903838470.0000000006000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
            Source: AutoIt3.exe, 00000007.00000000.2123903468842.00000000007F5000.00000002.00000001.01000000.0000000C.sdmp, AutoIt3.exe, 00000009.00000000.2124047458296.00000000007E5000.00000002.00000001.01000000.0000000F.sdmp, AutoIt3.exe, 0000000B.00000000.2124128443433.00000000007E5000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/X
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://www.catcert.cat/descarrega/acc.crt0#
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: http://www.digicert.com/CPS0
            Source: is-1ON8V.tmp.4.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
            Source: Setup64.exe, Setup64.tmp.1.dr, Setup64.tmp.3.drString found in binary or memory: http://www.innosetup.com/
            Source: Setup64.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
            Source: Setup64.exe, Setup64.tmp.1.dr, Setup64.tmp.3.drString found in binary or memory: http://www.remobjects.com/ps
            Source: Setup64.exeString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
            Source: Setup64.exeString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
            Source: is-0G37M.tmp.4.drString found in binary or memory: http://www.vmware.com/0
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/WebDriver.dll
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/chromedriver.exe
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/DFfe9ewf/test3/raw/refs/heads/main/msedgedriver.exe
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
            Source: Microsoft.Diagnostics.NETCore.Client.dll.7.drString found in binary or memory: https://github.com/dotnet/diagnostics
            Source: Setup64.tmp, 00000004.00000003.2123903838470.0000000006000000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/git-for-windows/git/issues/new
            Source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354rCannot
            Source: is-7TIQP.tmp.4.dr, is-LTCSU.tmp.4.drString found in binary or memory: https://tukaani.org/
            Source: is-LTCSU.tmp.4.drString found in binary or memory: https://tukaani.org/xz/
            Source: is-7TIQP.tmp.4.drString found in binary or memory: https://tukaani.org/xz/XZ
            Source: is-1ON8V.tmp.4.drString found in binary or memory: https://www.catcert.cat/verCIT-10
            Source: is-1ON8V.tmp.4.drString found in binary or memory: https://www.catcert.net/verarrel
            Source: Newtonsoft.Json.dll.7.dr, is-1ON8V.tmp.4.drString found in binary or memory: https://www.digicert.com/CPS0
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: https://www.newtonsoft.com/json
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
            Source: Newtonsoft.Json.dll.7.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
            Source: Setup64.exeString found in binary or memory: https://www.ssl.com/repository0

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8716, type: MEMORYSTR
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E22408_2_026E2240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E41188_2_026E4118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E44788_2_026E4478
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E25788_2_026E2578
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E0FA88_2_026E0FA8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E0CD08_2_026E0CD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E22F18_2_026E22F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E10598_2_026E1059
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E40EF8_2_026E40EF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E44688_2_026E4468
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E15128_2_026E1512
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E9B388_2_026E9B38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E9B378_2_026E9B37
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E18FE8_2_026E18FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E19FE8_2_026E19FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E0FE28_2_026E0FE2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_026E0F998_2_026E0F99
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FDA5A88_2_04FDA5A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FD86688_2_04FD8668
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FD33F88_2_04FD33F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FD56A08_2_04FD56A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FDDEC08_2_04FDDEC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FD38E58_2_04FD38E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FF35B08_2_04FF35B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FFF5108_2_04FFF510
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FF47818_2_04FF4781
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050ABEE08_2_050ABEE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050ABEF08_2_050ABEF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050AD9978_2_050AD997
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050AD9A88_2_050AD9A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050A69C88_2_050A69C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050A82AF8_2_050A82AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050A82C08_2_050A82C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050F7D188_2_050F7D18
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050F89308_2_050F8930
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050F80608_2_050F8060
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050FB8A08_2_050FB8A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050FDB828_2_050FDB82
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050FDC5A8_2_050FDC5A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050FD72E8_2_050FD72E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050FD6478_2_050FD647
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050FD6508_2_050FD650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050F21888_2_050F2188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050FB1D58_2_050FB1D5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050F001F8_2_050F001F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050F00408_2_050F0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050FB8908_2_050FB890
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050FDB8B8_2_050FDB8B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F8411810_2_00F84118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F8224010_2_00F82240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F8447810_2_00F84478
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F8257810_2_00F82578
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F80CD010_2_00F80CD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F80FA810_2_00F80FA8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F8105910_2_00F81059
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F822F110_2_00F822F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F8446810_2_00F84468
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F8151210_2_00F81512
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F818FE10_2_00F818FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F819FE10_2_00F819FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F8998610_2_00F89986
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F89B3810_2_00F89B38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F80FE210_2_00F80FE2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_00F80F9910_2_00F80F99
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_050BF51010_2_050BF510
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_050B35B010_2_050B35B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_050B478110_2_050B4781
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0516BEF010_2_0516BEF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0516BEE010_2_0516BEE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0516D99710_2_0516D997
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0516D9A810_2_0516D9A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_051669C810_2_051669C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_051682AF10_2_051682AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_051682C010_2_051682C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_051B218810_2_051B2188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_051B000610_2_051B0006
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_051B004010_2_051B0040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF411812_2_00DF4118
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF224012_2_00DF2240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF447812_2_00DF4478
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF257812_2_00DF2578
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF0CD012_2_00DF0CD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF0FA812_2_00DF0FA8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF105912_2_00DF1059
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF22F112_2_00DF22F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF446812_2_00DF4468
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF441B12_2_00DF441B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF151212_2_00DF1512
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF18FE12_2_00DF18FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF19FE12_2_00DF19FE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF9A6712_2_00DF9A67
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF9B3812_2_00DF9B38
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF0FE212_2_00DF0FE2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_00DF0F9B12_2_00DF0F9B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04F0A5A812_2_04F0A5A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04F0866812_2_04F08668
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04F033F812_2_04F033F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04F056A012_2_04F056A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04F0DEC012_2_04F0DEC0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04F038E512_2_04F038E5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04F235B012_2_04F235B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04F2F51012_2_04F2F510
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04F2478112_2_04F24781
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04FDBEF012_2_04FDBEF0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04FDBEE012_2_04FDBEE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04FD69C812_2_04FD69C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04FDD9A812_2_04FDD9A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04FDD98012_2_04FDD980
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04FD82C012_2_04FD82C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04FD82AF12_2_04FD82AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_0502218812_2_05022188
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_0502000612_2_05020006
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_0502004012_2_05020040
            Source: Joe Sandbox ViewDropped File: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exe 1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
            Source: Setup64.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: Setup64.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
            Source: Setup64.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
            Source: Setup64.tmp.3.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
            Source: is-LTCSU.tmp.4.drStatic PE information: Number of sections : 11 > 10
            Source: is-U03MI.tmp.4.drStatic PE information: Number of sections : 11 > 10
            Source: is-OI8JK.tmp.4.drStatic PE information: Number of sections : 11 > 10
            Source: is-L5JQU.tmp.4.drStatic PE information: Number of sections : 12 > 10
            Source: is-432HO.tmp.4.drStatic PE information: Number of sections : 13 > 10
            Source: is-I86N2.tmp.4.drStatic PE information: Number of sections : 11 > 10
            Source: is-7TIQP.tmp.4.drStatic PE information: Number of sections : 11 > 10
            Source: is-R20PO.tmp.4.drStatic PE information: No import functions for PE file found
            Source: Setup64.exe, 00000001.00000003.2123732684001.000000007FE42000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs Setup64.exe
            Source: Setup64.exeBinary or memory string: OriginalFilenameshfolder.dll~/ vs Setup64.exe
            Source: Setup64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
            Source: is-OI8JK.tmp.4.drBinary string: \Device\LanmanRedirector\
            Source: is-OI8JK.tmp.4.drBinary string: \Device\H
            Source: is-OI8JK.tmp.4.drBinary string: \Device\LanmanRedirector\;%c:%d\%s
            Source: is-OI8JK.tmp.4.drBinary string: \Device\LanmanRedirector\\Device\LanmanRedirector\;%c:%d\%sbasic_string::append\??\ntdll.dllNtQuerySystemInformationNtQueryObjectNtQueryInformationThreadNtQueryInformationFileNtQueryInformationProcessNtQuerySystemInformation: 0x%lx
            Source: is-5H3HC.tmp.4.drBinary or memory string: Find ResultsAA publish must be performed before this information is available.?Please select one of the collections of settings from the list.xThe codepage indicated by the HTML charset tag may not be correct. You may want to reopen this with a specific encoding."XML comment contains invalid XML: ?Solution Files (*%s)$*%s$Solution Filter Files (*.slnf)$*.slnf$;The document '%s' is already open. Do you want to close it?
            Source: classification engineClassification label: mal52.troj.spyw.evad.winEXE@17/126@0/1
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMutant created: NULL
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMutant created: \Sessions\1\BaseNamedObjects\84f4929d999d
            Source: C:\Users\user\Desktop\Setup64.exeFile created: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmpJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
            Source: Setup64.exeVirustotal: Detection: 12%
            Source: Setup64.exeReversingLabs: Detection: 15%
            Source: Setup64.exeString found in binary or memory: /LOADINF="filename"
            Source: Setup64.exeString found in binary or memory: {userappdata}\{{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-helper-selector.exe
            Source: Setup64.exeString found in binary or memory: -Helper process exited with failure code: 0x%x
            Source: Setup64.exeString found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
            Source: Setup64.exeString found in binary or memory: /LoadInf=
            Source: Setup64.exeString found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
            Source: C:\Users\user\Desktop\Setup64.exeFile read: C:\Users\user\Desktop\Setup64.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Setup64.exe "C:\Users\user\Desktop\Setup64.exe"
            Source: C:\Users\user\Desktop\Setup64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmp "C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmp" /SL5="$2046A,8170310,119296,C:\Users\user\Desktop\Setup64.exe"
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpProcess created: C:\Users\user\Desktop\Setup64.exe "C:\Users\user\Desktop\Setup64.exe" /VERYSILENT
            Source: C:\Users\user\Desktop\Setup64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmp "C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmp" /SL5="$2046E,8170310,119296,C:\Users\user\Desktop\Setup64.exe" /VERYSILENT
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpProcess created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe "C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe" randomized.a3x
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            Source: unknownProcess created: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exe "C:\11389406-0377-47ed-98c7-d564e683c6eb\Autoit3.exe" "C:\11389406-0377-47ed-98c7-d564e683c6eb\randomized.a3x"
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            Source: unknownProcess created: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exe "C:\11389406-0377-47ed-98c7-d564e683c6eb\Autoit3.exe" "C:\11389406-0377-47ed-98c7-d564e683c6eb\randomized.a3x"
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
            Source: C:\Users\user\Desktop\Setup64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmp "C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmp" /SL5="$2046A,8170310,119296,C:\Users\user\Desktop\Setup64.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpProcess created: C:\Users\user\Desktop\Setup64.exe "C:\Users\user\Desktop\Setup64.exe" /VERYSILENTJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmp "C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmp" /SL5="$2046E,8170310,119296,C:\Users\user\Desktop\Setup64.exe" /VERYSILENTJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpProcess created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe "C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe" randomized.a3xJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: msimg32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: shfolder.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: sfc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: sfc_os.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: version.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: version.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: winmm.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: mpr.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: wininet.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: userenv.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: edgegdi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpWindow found: window name: TMainFormJump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Setup64.exeStatic PE information: certificate valid
            Source: Setup64.exeStatic file information: File size 9429584 > 1048576
            Source: Setup64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\cpfecl.Linux.x86.pdb source: cpfecl.Linux.x86.dll.7.dr
            Source: Binary string: D:\dbs\sh\ddvsm\1002_165500_0\cmd\1g\out\Intermediate\env\viewmanager_x86retail_ED4D250F\Release\net472\Microsoft.VisualStudio.Shell.ViewManager.pdb source: is-23SSU.tmp.4.dr, Microsoft.VisualStudio.Shell.ViewManager.dll.7.dr
            Source: Binary string: D:\dbs\sh\ddvsm\1001_131954\cmd\1c\out\binaries\amd64ret\bin\amd64\Microsoft.VisualStudio.ResPkg.Internal.pdb source: Microsoft.VisualStudio.ResPkg.Internal.dll.7.dr, is-JMHCG.tmp.4.dr
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/netstandard2.0/Newtonsoft.Json.pdbSHA256 source: Newtonsoft.Json.dll.7.dr
            Source: Binary string: Unknown exceptionbad array new lengthstring too longNULLPATH exsyglindbmdlk\DFoFebAbabDbDEbcbCrtbdbEbFdbhBibilbmbobxbpbrbtbUbubvBCBkBreproexperimental:deterministicBtBt+BdBUIastfe:Baanalyze:Bnanalyze:logBzBvBYFmFCforceZ7GLbLTCGDBLDLDdopenmpXFdGmFRFrkernelarchSSEarchSSE2archAVXarchAVX2d2MPXZiZ7ZIZXGiZmZMclrclr-clrnoassemblyLNclr:netcoreZWMPMPlowpriSaw_ESaw_EPSaw_GmSaw_showIncludesSaw_YcSaw_AnalyzeLogMsyncerrMdebugMbatchdocsrclisterrorreport:prompterrorreport:queueerrorreport:senderrorreport:noneawaitawait:heapelideexternal:env:Bcapture_repro-il%t-typedil-f%f-W1-Zp8-Gs-Ot-Ob0-Fe%b.%X-pc\:/-Fdvc140.pdb-ZM-GS-GR-Zc:forScope-Zc:wchar_t-Xc-ClangMode-ClangXp-Clangstdc17-ClangPredefinedMacros-ClangPredefinedCMacros-ClangPredefinedCppMacros-ClangBuiltinMacros-ClangPredefined32bitMacros-MD-MT-MDd-MTdBk source: cpfecl.Linux.x86.dll.7.dr
            Source: Binary string: D:\git-sdk-64-build-installers\usr\src\MINGW-packages\mingw-w64-git\src\git\git.pdb source: Setup64.tmp, 00000004.00000003.2123903838470.000000000636C000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\cpfecl.Linux.x86.pdbGCTL source: cpfecl.Linux.x86.dll.7.dr
            Source: Binary string: D:\dbs\sh\ddvsm\1001_131954\cmd\1c\out\binaries\amd64ret\bin\amd64\Microsoft.VisualStudio.ResPkg.Internal.pdbBSJB source: Microsoft.VisualStudio.ResPkg.Internal.dll.7.dr, is-JMHCG.tmp.4.dr
            Source: Binary string: System.Workflow.Activities.pdbL source: is-B4U7K.tmp.4.dr
            Source: Binary string: G:\o14\65_VC8\VBA\R7X64ND\presplit\vbarunjt\obj\expsrv.pdb source: is-NGK02.tmp.4.dr
            Source: Binary string: System.Workflow.Activities.pdb source: is-B4U7K.tmp.4.dr
            Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\Git-Credential-Manager.UI.Windows\obj\WindowsRelease\net472\git-credential-manager-ui.pdbSHA256 source: is-ANH49.tmp.4.dr
            Source: Binary string: D:\a\git-credential-manager\git-credential-manager\out\windows\Git-Credential-Manager.UI.Windows\obj\WindowsRelease\net472\git-credential-manager-ui.pdb source: is-ANH49.tmp.4.dr
            Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/netstandard2.0/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.7.dr
            Source: Binary string: /_/artifacts/obj/Microsoft.Diagnostics.NETCore.Client/Release/netstandard2.0/Microsoft.Diagnostics.NETCore.Client.pdb source: Microsoft.Diagnostics.NETCore.Client.dll.7.dr
            Source: Binary string: C:\JDK7U2~1\jdk7u17\build\windows-amd64\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdb source: npdeployJava1.dll.7.dr
            Source: Binary string: F:\SMGB 5\OverClock\OverClock\Release\OverDrive.pdb source: is-1ON8V.tmp.4.dr
            Source: Binary string: Microsoft.Diagnostics.NETCore.Client.ni.pdb source: Microsoft.Diagnostics.NETCore.Client.dll.7.dr
            Source: is-2K6L8.tmp.4.drStatic PE information: 0xA01E5A34 [Mon Feb 15 22:35:32 2055 UTC]
            Source: is-432HO.tmp.4.drStatic PE information: section name: .xdata
            Source: is-432HO.tmp.4.drStatic PE information: section name: .debug
            Source: is-LTCSU.tmp.4.drStatic PE information: section name: .xdata
            Source: is-U03MI.tmp.4.drStatic PE information: section name: .xdata
            Source: is-I86N2.tmp.4.drStatic PE information: section name: .xdata
            Source: is-7TIQP.tmp.4.drStatic PE information: section name: .xdata
            Source: is-OI8JK.tmp.4.drStatic PE information: section name: .xdata
            Source: is-4ORF2.tmp.4.drStatic PE information: section name: .xdata
            Source: is-NGK02.tmp.4.drStatic PE information: section name: ENGINE
            Source: is-L5JQU.tmp.4.drStatic PE information: section name: .rodata
            Source: is-L5JQU.tmp.4.drStatic PE information: section name: .xdata
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FA12E8 push esp; retf 8_2_04FA1305
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FD79A8 push eax; ret 8_2_04FD79A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FDBB89 push 8B03880Ch; iretd 8_2_04FDBB8E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_04FF8D38 pushad ; retf 8_2_04FF8D39
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 8_2_050F119B push esp; iretd 8_2_050F11A1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_029912EA push esp; retf 10_2_02991305
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_0299137E pushfd ; retf 10_2_02991395
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_050B8D38 pushad ; retf 10_2_050B8D39
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 10_2_051B1150 push esp; iretd 10_2_051B11A1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04ED12E9 push esp; retf 12_2_04ED1305
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04F079A8 push eax; ret 12_2_04F079A9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04F0BB89 push 8B03800Ch; iretd 12_2_04F0BB8E
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_04F28D38 pushad ; retf 12_2_04F28D39
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeCode function: 12_2_05022DE7 push ebx; ret 12_2_05022DEA
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\mswb70011.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.ExtensionManager.Implementation.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\msys-asn1-8.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-0G37M.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-NSM16.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.ComponentModel.Composition.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-1C971.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-OI8JK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\mc_dec_dv.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-helper-selector.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\libnettle-8.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.ResPkg.Internal.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\WzWXFll64.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\gss-client.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-38B8E.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\libnettle-8.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-7TIQP.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\mswb70011.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-699U6.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-KS1B4.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-S92KA.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\cpfecl.Linux.x86.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\msenvui.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-L5JQU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-2K6L8.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-23SSU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-PLB4B.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-432HO.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-G615F.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-NSVKE.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.Shell.ViewManager.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\msitss55.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-KQLMG.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\EntityFramework.resources.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\EXPSRV.DLL (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-NGK02.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-L6VEQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\odt2txt.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.Diagnostics.NETCore.Client.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.ExtensionManager.Implementation.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-U313K.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msitss55.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\System.Text.RegularExpressions.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\mc_dec_dv.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-ANH49.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msys-p11-kit-0.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-U03MI.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-manager-core.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\System.Drawing.Common.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.Text.RegularExpressions.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\kdeltkt.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msenvui.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\p11-kit.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-74TUK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-R20PO.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-M22HB.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.ResPkg.Internal.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\System.ComponentModel.Composition.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-699U6.tmp\_isetup\_iscrypt.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\npdeployJava1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-S4RNB.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BJBCS.tmp\_isetup\_iscrypt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\WhoUses.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-JMHCG.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BJBCS.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.Workflow.Activities.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-KT9TK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-I86N2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-4ORF2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.Azure.Management.EventHub.Fluent.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-VBEKK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.Diagnostics.NETCore.Client.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-upload-pack.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-5H3HC.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-7C32K.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\OverDrive.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\WzWXFll64.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\npdeployJava1.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.Shell.ViewManager.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msys-asn1-8.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\edit_test_dll.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.Azure.Management.EventHub.Fluent.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\EntityFramework.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.Drawing.Common.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.DesignTools.DiagnosticsBase.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-DFMOS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.TestTools.TestSettings.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-manager-ui.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Newtonsoft.Json.dll (copy)Jump to dropped file
            Source: C:\Users\user\Desktop\Setup64.exeFile created: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\msys-p11-kit-0.dllJump to dropped file
            Source: C:\Users\user\Desktop\Setup64.exeFile created: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-L34PJ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\lzmadec.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\EXPSRV.DLLJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.WinForms.DesignTools.Protocol.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-B4U7K.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.DesignTools.DiagnosticsBase.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\x86_64-w64-mingw32-agrep.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-LJ2EL.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-523VQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\cpfecl.Linux.x86.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.TestTools.TestSettings.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-LTCSU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-manager.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-699U6.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-1ON8V.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\System.Workflow.Activities.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\klist.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-CEK3B.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-23SFU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\OverDrive.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-E76AU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\unxz.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeFile created: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.WinForms.DesignTools.Protocol.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpFile created: C:\Users\user\AppData\Local\Temp\is-BJBCS.tmp\_isetup\_shfoldr.dllJump to dropped file

            Boot Survival

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8716, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce randomizedJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce randomizedJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce randomizedJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce randomizedJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Setup64.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8716, type: MEMORYSTR
            Queries memory information (via WMI often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
            Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_DiskDrive
            Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_PhysicalMemory
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 26A0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2830000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 4830000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: F40000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 29B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: DB0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 27B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: 26B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWindow / User API: threadDelayed 9963Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\mswb70011.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.ExtensionManager.Implementation.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\msys-asn1-8.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-0G37M.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-NSM16.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.ComponentModel.Composition.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-1C971.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-OI8JK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-helper-selector.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\mc_dec_dv.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\libnettle-8.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.ResPkg.Internal.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\WzWXFll64.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\gss-client.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\libnettle-8.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-38B8E.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\mswb70011.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-7TIQP.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-699U6.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-KS1B4.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-S92KA.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\cpfecl.Linux.x86.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\msenvui.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-L5JQU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-2K6L8.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-23SSU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-PLB4B.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-432HO.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-G615F.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.Shell.ViewManager.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\msitss55.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-KQLMG.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\EntityFramework.resources.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\EXPSRV.DLL (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\odt2txt.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-L6VEQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-NGK02.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.Diagnostics.NETCore.Client.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.ExtensionManager.Implementation.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msitss55.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-U313K.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\System.Text.RegularExpressions.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\mc_dec_dv.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msys-p11-kit-0.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-ANH49.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-U03MI.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-manager-core.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\System.Drawing.Common.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.Text.RegularExpressions.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\kdeltkt.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msenvui.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\p11-kit.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-74TUK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.ResPkg.Internal.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-R20PO.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-M22HB.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\System.ComponentModel.Composition.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-699U6.tmp\_isetup\_iscrypt.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\npdeployJava1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-S4RNB.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BJBCS.tmp\_isetup\_iscrypt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\WhoUses.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-JMHCG.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BJBCS.tmp\_isetup\_setup64.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.Workflow.Activities.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-KT9TK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-I86N2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-4ORF2.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.Azure.Management.EventHub.Fluent.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-VBEKK.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.Diagnostics.NETCore.Client.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-upload-pack.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-5H3HC.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-7C32K.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\OverDrive.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\WzWXFll64.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\npdeployJava1.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.Shell.ViewManager.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\msys-asn1-8.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\edit_test_dll.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\EntityFramework.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.Azure.Management.EventHub.Fluent.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\System.Drawing.Common.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.DesignTools.DiagnosticsBase.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.TestTools.TestSettings.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-DFMOS.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-manager-ui.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Newtonsoft.Json.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\msys-p11-kit-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\lzmadec.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-L34PJ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\EXPSRV.DLLJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.WinForms.DesignTools.Protocol.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-B4U7K.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\x86_64-w64-mingw32-agrep.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Microsoft.VisualStudio.DesignTools.DiagnosticsBase.dll (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-LJ2EL.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\cpfecl.Linux.x86.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-523VQ.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.VisualStudio.TestTools.TestSettings.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\is-LTCSU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\git-credential-manager.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-699U6.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-1ON8V.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\System.Workflow.Activities.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\klist.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-23SFU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-CEK3B.tmpJump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\OverDrive.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\is-E76AU.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\Sup\unxz.exe (copy)Jump to dropped file
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeDropped PE file which has not been started: C:\11389406-0377-47ed-98c7-d564e683c6eb\Microsoft.WinForms.DesignTools.Protocol.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-BJBCS.tmp\_isetup\_shfoldr.dllJump to dropped file
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -36000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8612Thread sleep count: 9963 > 30Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -35891s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -35781s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -35672s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -35563s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -35453s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -35344s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -35219s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -35109s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -35000s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -34891s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -34781s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -34672s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8596Thread sleep time: -34563s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8756Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8856Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070409Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08090809Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070409Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08090809Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 36000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 35891Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 35781Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 35672Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 35563Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 35453Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 35344Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 35219Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 35109Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 35000Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 34891Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 34781Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 34672Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 34563Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: is-0G37M.tmp.4.drBinary or memory string: VMware, Inc.1>0<
            Source: AutoIt3.exe, 0000000B.00000003.2124132169902.0000000003AE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @UVMCIG3 tbheeszjsh
            Source: is-0G37M.tmp.4.drBinary or memory string: http://www.vmware.com/0
            Source: is-0G37M.tmp.4.drBinary or memory string: VMware, Inc.0
            Source: AutoIt3.exe, 00000007.00000003.2124019967380.0000000004191000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ZPUZXPXK_ZPJZXZOJ_OHTVMCIIQ]
            Source: jsc.exe, 00000008.00000002.2124978680788.0000000000808000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\AppData\Local\Temp\is-JJO02.tmp\Setup64.tmpProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Allocates memory in foreign processes
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 710000 protect: page execute and read and writeJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 800000 protect: page execute and read and writeJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 340000 protect: page execute and read and writeJump to behavior
            Detected PureCrypter Trojan
            Source: jsc.exe, 0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: 151.80.89.228MIIE6jCCAtKgAwIBAgIQAIz7ti31iLXCGWvZRMysUTANBgkqhkiG9w0BAQ0FADAWMRQwEgYDVQQDDAtJZnp0YW9yZW5oeDAgFw0yNTAxMDkyMzAyMzRaGA85OTk5MTIzMTIzNTk1OVowFjEUMBIGA1UEAwwLSWZ6dGFvcmVuaHgwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDJ/igtswXITod6eGGJzKxJqTxQ8nTbLujhtl9v6RnFixeRlkkCfA8Y0R2U/KEerSwr361AQubsJxu+zt31Zf47erUjwGDRNS3ayR8S2Y9JHFIQfgSaVBXIqCndHrNhnIJjm/6m0CiwmtGcGbRljY+h6r0T9QCU93app6Ptkbcj5WFjfowPuON1nObMv55JVJMHDqYAGixssTEwbyzc4A8XDW6nkHd3C3brr02SahG/MYAErhgYoXqHe9xyVZlKa3DgLK2LHxpa/2dLJs9DidIc2jjYGv6PucbAZgAK6NIDXIwd8AVIoESdpd4i6kU+XfPl0kg/NmGAkuy+vTiUkvETyGiUwoX/fYh6ek3AvDbTp+LR+gMfviYL2H6iEJQ1fj8uExG1pn5R3JOIy6EfQulSQDIqSjFIo0Y0yEqj63KCcSqiLLMF1NCgpEbEmhMu003yZduwCc2p5OS9fjeF4UJaayV3G1QsMTVa4bGCdQBZ1w+GoTdh8g8rBHbHRpzLKVJ+9gOH8EZqqgNVriTUkgJRJrx43gS0rkRCGtpSkSK69vFSl3iy8J+Dt5IvMZ7pwLysIiwRuo/67fi6isYMXl/Qi3dablet1tDly1a4pY5ZSRI/eiQ2xFHNIaLzh3LYVRLgKEJvGwpLP80fX7ysdqliGY1+Nv0MmdfDpS6xCHP7gwIDAQABozIwMDAdBgNVHQ4EFgQUxn8bCqajKgK0YyBdVNxPZKLT+sswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQ0FAAOCAgEAu8znn0d0wM3PYQFXxQCBAfArgwTKrjrvr5j3s6Zc4//UfRWBras18WXDoLMWpVKJUR7Up5/pyCF+L24bjxlas8qi2tG2f6qlTX4XXRPtA6LWNtjekyOxJPj0E6j7t7ZaDW+Jk5yqHKdI7UM+O++MUpJ10Q3x9uBQxEeciG9nSWX4Gho+yFD63v/R1lwoXS2jJXBXyA4HijO7MUfHY5gqPz3oeTAyHIGj1HmAsc5xlrMzpFc65LwBZJVzm4yWmkF/kdEVfTL8vCD4WGUFy5yBKz4bHtef9g1Qo+riIHk9FN4cJYeZh6ynQ8d6VWF3QvHWLGW4Idq7E3PZ2ucOIOkwH+8SLSiRIdUAWF32ZS1DnzSlX4oVM4KabyEjIE0BE5DYJrt066TG2rPTejU7OCxYBnfd5t5xOIrUpm42g6x4nGdyL9FyKxXcOQ6wGxH6i2diQbnfelW2iHfa51hCBqr1RPGY02kjlGV77O1JsAzBOZT7yrdwys+6Wu3a6xuWaNFyMTjHFmFZwTBP6oFZmK6k9W+AqrbLIdLs04QJuHJNVuoTB1mw7+5zl7ZiEcRDO8SxHhi22ezhP0OggSUFLp0ExU0WBcadbppvVwS5UAylAaFa4vvdZ5W4SoCxPt/N7hOaAtZGFf5F3pSwDxAGpWiXUzSBmPRwxO0IxF8Bh0xBzL0="Default:BAPPDATAJ84f4929d999d
            Injects a PE file into a foreign processes
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 710000 value starts with: 4D5AJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 800000 value starts with: 4D5AJump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 340000 value starts with: 4D5AJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 710000Jump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 4C1000Jump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 800000Jump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 779000Jump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 340000Jump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 437000Jump to behavior
            Source: C:\Users\user\AppData\Local\Temp\is-N6RL8.tmp\Setup64.tmpProcess created: C:\Users\user\Desktop\Setup64.exe "C:\Users\user\Desktop\Setup64.exe" /VERYSILENTJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
            Source: C:\11389406-0377-47ed-98c7-d564e683c6eb\AutoIt3.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"Jump to behavior
            Source: AutoIt3.exe, 00000007.00000000.2123903185115.00000000007E1000.00000002.00000001.01000000.0000000C.sdmp, AutoIt3.exe, 00000009.00000000.2124047192710.00000000007D1000.00000002.00000001.01000000.0000000F.sdmp, AutoIt3.exe, 0000000B.00000000.2124128164815.00000000007D1000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.2124981884980.0000000002BBA000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.2124981884980.0000000002B8E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.2124992120024.00000000059A0000.00000004.00000020.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.2124981884980.0000000002BBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager*
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002BE4000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000008.00000002.2124981884980.0000000002BBA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\{A46AD241-79D3-4860-A319-5E4C9914D262}\AutoIt3.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: 0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8716, type: MEMORYSTR
            Source: Setup64.exe, 00000001.00000003.2123741161004.000000000233A000.00000004.00001000.00020000.00000000.sdmp, Setup64.tmp, 00000002.00000003.2123737029921.000000000237E000.00000004.00001000.00020000.00000000.sdmp, Setup64.tmp, 00000002.00000003.2123737029921.0000000002310000.00000004.00001000.00020000.00000000.sdmp, Setup64.exe, 00000003.00000003.2123913925990.0000000000B31000.00000004.00001000.00020000.00000000.sdmp, Setup64.tmp, 00000004.00000003.2123908945364.0000000002328000.00000004.00001000.00020000.00000000.sdmp, Setup64.tmp, 00000004.00000003.2123908945364.0000000002394000.00000004.00001000.00020000.00000000.sdmp, Setup64.tmp, 00000004.00000003.2123908607080.00000000034E2000.00000004.00001000.00020000.00000000.sdmp, Setup64.tmp, 00000004.00000003.2123908945364.000000000239C000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: avgui.exe
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntiVirusProduct

            Stealing of Sensitive Information

            barindex
            Found many strings related to Crypto-Wallets (likely being stolen)
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002B37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Electrum
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002D1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Jaxx L4
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002B37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q4C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002B37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: q1C:\Users\user\AppData\Roaming\Ethereum\keystore
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002D1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Exodus4
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002B37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ethereum
            Source: jsc.exe, 00000008.00000002.2124981884980.0000000002B37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: keystore
            Tries to harvest and steal Bitcoin Wallet information
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exeKey opened: HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-QtJump to behavior
            Source: Yara matchFile source: 0000000A.00000002.2124288840735.00000000029E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.2124981884980.0000000002854000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8508, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: jsc.exe PID: 8716, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts321
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		312
            Process Injection            		1
            Masquerading            		OS Credential Dumping431
            Security Software Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts2
            Command and Scripting Interpreter            		1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		1
            Disable or Modify Tools            		LSASS Memory2
            Process Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		341
            Virtualization/Sandbox Evasion            		Security Account Manager341
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal Accounts1
            PowerShell            		Login Hook1
            DLL Side-Loading            		312
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets2
            System Owner/User Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
            Obfuscated Files or Information            		Cached Domain Credentials1
            File and Directory Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Timestomp            		DCSync223
            System Information Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1633383 Sample: Setup64.exe Startdate: 10/03/2025 Architecture: WINDOWS Score: 52 74 Suricata IDS alerts for network traffic 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Yara detected AsyncRAT 2->78 10 Setup64.exe 2 2->10         started        13 AutoIt3.exe 2->13         started        16 AutoIt3.exe 2->16         started        process3 file4 54 C:\Users\user\AppData\Local\...\Setup64.tmp, PE32 10->54 dropped 18 Setup64.tmp 3 13 10->18         started        90 Writes to foreign memory regions 13->90 92 Allocates memory in foreign processes 13->92 94 Injects a PE file into a foreign processes 13->94 21 jsc.exe 3 13->21         started        24 jsc.exe 2 16->24         started        signatures5 process6 file7 48 C:\Users\user\AppData\Local\...\_shfoldr.dll, PE32 18->48 dropped 50 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->50 dropped 52 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->52 dropped 26 Setup64.exe 2 18->26         started        80 Detected PureCrypter Trojan 21->80 signatures8 process9 file10 56 C:\Users\user\AppData\Local\...\Setup64.tmp, PE32 26->56 dropped 29 Setup64.tmp 5 58 26->29         started        process11 file12 58 C:\Users\user\AppData\...\AutoIt3.exe (copy), PE32 29->58 dropped 60 C:\Users\user\...\npdeployJava1.dll (copy), PE32+ 29->60 dropped 62 C:\Users\user\...\msys-p11-kit-0.dll (copy), PE32+ 29->62 dropped 64 84 other files (none is malicious) 29->64 dropped 32 AutoIt3.exe 1 30 29->32         started        process13 file14 40 C:\...\AutoIt3.exe, PE32 32->40 dropped 42 C:\...\npdeployJava1.dll, PE32+ 32->42 dropped 44 C:\...\msys-p11-kit-0.dll, PE32+ 32->44 dropped 46 24 other files (none is malicious) 32->46 dropped 68 Writes to foreign memory regions 32->68 70 Allocates memory in foreign processes 32->70 72 Injects a PE file into a foreign processes 32->72 36 jsc.exe 2 32->36         started        signatures15 process16 dnsIp17 66 151.80.89.228, 50280, 56001 OVHFR Italy 36->66 82 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 36->82 84 Found many strings related to Crypto-Wallets (likely being stolen) 36->84 86 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 36->86 88 3 other signatures 36->88 signatures18

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.