Windows Analysis Report
W7e18p57es.exe

Overview

General Information

Sample name: W7e18p57es.exe
renamed because original name is a hash value
Original sample name: 50690fbed2c5b7ba3cde03fb006ebeafeeda1edd9fb9e3ca77d07d1fe0d62d88.exe
Analysis ID: 1643836
MD5: f37c14093a46e382dd1ac49555256f46
SHA1: 77c11a7292cb56cd626c7cfe627a3d389963f2de
SHA256: 50690fbed2c5b7ba3cde03fb006ebeafeeda1edd9fb9e3ca77d07d1fe0d62d88
Tags: 172-86-72-81exeuser-JAMESWT_MHT
Infos:

Detection

RedLine
Score: 76
Range: 0 - 100
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected RedLine Stealer
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: W7e18p57es.exe Virustotal: Detection: 11% Perma Link
Source: W7e18p57es.exe ReversingLabs: Detection: 13%
Uses 32bit PE files
Source: W7e18p57es.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: W7e18p57es.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 4x nop then jmp 017177B9h 5_2_0171768B
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: unknown TCP traffic detected without corresponding DNS query: 172.86.72.81
Source: W7e18p57es.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: W7e18p57es.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: W7e18p57es.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: W7e18p57es.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.tmp, 00000003.00000003.1324141738.0000000000BE3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://crl.certum.pl/cscasha2.crl0q
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.tmp, 00000003.00000003.1324141738.0000000000BE3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: is-SHAH3.tmp.3.dr, AutoIt3.exe.4.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: is-SHAH3.tmp.3.dr, AutoIt3.exe.4.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: is-SHAH3.tmp.3.dr, AutoIt3.exe.4.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: is-SHAH3.tmp.3.dr, AutoIt3.exe.4.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: W7e18p57es.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: W7e18p57es.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: W7e18p57es.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: W7e18p57es.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: W7e18p57es.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.tmp, 00000003.00000003.1324141738.0000000000BE3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://cscasha2.ocsp-certum.com04
Source: W7e18p57es.exe String found in binary or memory: http://ocsp.digicert.com0
Source: W7e18p57es.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: W7e18p57es.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: W7e18p57es.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: is-SHAH3.tmp.3.dr, AutoIt3.exe.4.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: is-SHAH3.tmp.3.dr, AutoIt3.exe.4.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: is-SHAH3.tmp.3.dr, AutoIt3.exe.4.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.tmp, 00000003.00000003.1324141738.0000000000BE3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://repository.certum.pl/cscasha2.cer0
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.tmp, 00000003.00000003.1324141738.0000000000BE3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: is-SHAH3.tmp.3.dr, AutoIt3.exe.4.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: is-SHAH3.tmp.3.dr, AutoIt3.exe.4.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.tmp, 00000003.00000003.1324141738.0000000000BE3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://subca.ocsp-certum.com01
Source: AutoIt3.exe, 00000004.00000000.1323117812.0000000000DB5000.00000002.00000001.01000000.0000000E.sdmp, AutoIt3.exe, 00000006.00000000.1413788476.0000000000BA5000.00000002.00000001.01000000.00000010.sdmp, AutoIt3.exe, 0000000B.00000000.1499760028.0000000000BA5000.00000002.00000001.01000000.00000010.sdmp, is-SHAH3.tmp.3.dr, AutoIt3.exe.4.dr String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.tmp, 00000003.00000003.1324141738.0000000000BE3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: http://www.certum.pl/CPS0
Source: W7e18p57es.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.tmp, 00000003.00000003.1324141738.0000000000BE3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: https://jrsoftware.org/
Source: W7e18p57es.exe String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: https://jrsoftware.org0
Source: jsc.exe, 0000000C.00000002.1557752232.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/f2ThRnrj
Source: jsc.exe, 00000009.00000002.1477939401.0000000002771000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 0000000C.00000002.1557752232.0000000002E71000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/f2ThRnrjPO
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: https://sectigo.com/CPS0D
Source: is-SHAH3.tmp.3.dr, AutoIt3.exe.4.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.tmp, 00000003.00000003.1324141738.0000000000BE3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr String found in binary or memory: https://www.certum.pl/CPS0
Source: AutoIt3.exe.4.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: is-SHAH3.tmp.3.dr, AutoIt3.exe.4.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: W7e18p57es.exe, W7e18p57es.tmp.0.dr, W7e18p57es.tmp.2.dr String found in binary or memory: https://www.innosetup.com/
Source: W7e18p57es.exe, W7e18p57es.tmp.0.dr, W7e18p57es.tmp.2.dr String found in binary or memory: https://www.remobjects.com/ps
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 9.2.jsc.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: Detects Arechclient2 RAT Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01220040 5_2_01220040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01220AC0 5_2_01220AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01220006 5_2_01220006
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01220A9D 5_2_01220A9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01711050 5_2_01711050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_0171A080 5_2_0171A080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01717598 5_2_01717598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01711940 5_2_01711940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01718900 5_2_01718900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_0171A070 5_2_0171A070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_017145F8 5_2_017145F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01717588 5_2_01717588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01717498 5_2_01717498
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_0171E760 5_2_0171E760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_0171E75A 5_2_0171E75A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01711738 5_2_01711738
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01711724 5_2_01711724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01714608 5_2_01714608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_0171D950 5_2_0171D950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01711931 5_2_01711931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_0171D93F 5_2_0171D93F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_017159AB 5_2_017159AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_017188F2 5_2_017188F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01717D08 5_2_01717D08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_01717C34 5_2_01717C34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_017159C8 5_2_017159C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 9_2_02611050 9_2_02611050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 9_2_02611940 9_2_02611940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 9_2_02617598 9_2_02617598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 9_2_02617258 9_2_02617258
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 9_2_02611931 9_2_02611931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 9_2_026159AB 9_2_026159AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 9_2_02614608 9_2_02614608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 9_2_02611724 9_2_02611724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 9_2_026145F8 9_2_026145F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 9_2_026159C8 9_2_026159C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 12_2_05397598 12_2_05397598
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 12_2_05391940 12_2_05391940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 12_2_05391050 12_2_05391050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 12_2_053945F8 12_2_053945F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 12_2_05391724 12_2_05391724
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 12_2_05394608 12_2_05394608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 12_2_05391931 12_2_05391931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 12_2_053959C3 12_2_053959C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 12_2_05397263 12_2_05397263
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 12_2_053959C8 12_2_053959C8
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe 1DA298CAB4D537B0B7B5DABF09BFF6A212B9E45731E0CC772F99026005FB9E48
PE / OLE file has an invalid certificate
Source: W7e18p57es.exe Static PE information: invalid certificate
PE file contains executable resources (Code or Archives)
Source: W7e18p57es.tmp.0.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: W7e18p57es.tmp.2.dr Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Sample file is different than original file name gathered from version info
Source: W7e18p57es.exe, 00000000.00000003.1319576432.0000000002228000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs W7e18p57es.exe
Source: W7e18p57es.exe, 00000000.00000003.1319576432.000000000216B000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileNameAdAvoid vs W7e18p57es.exe
Source: W7e18p57es.exe, 00000000.00000000.1307750062.00000000004C6000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileNameAdAvoid vs W7e18p57es.exe
Source: W7e18p57es.exe, 00000000.00000003.1308697128.000000007FB70000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileNameAdAvoid vs W7e18p57es.exe
Source: W7e18p57es.exe, 00000002.00000003.1327757450.000000000228B000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFileNameAdAvoid vs W7e18p57es.exe
Source: W7e18p57es.exe, 00000002.00000003.1327757450.0000000002348000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamekernel32j% vs W7e18p57es.exe
Source: W7e18p57es.exe Binary or memory string: OriginalFileNameAdAvoid vs W7e18p57es.exe
Uses 32bit PE files
Source: W7e18p57es.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 9.2.jsc.exe.720000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_Arechclient2 author = ditekSHen, description = Detects Arechclient2 RAT
Source: classification engine Classification label: mal76.troj.evad.winEXE@17/18@0/1
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp File created: C:\Users\user\AppData\Local\Programs Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Mutant created: \Sessions\1\BaseNamedObjects\58f21a0e17024684963d9a15f6445c7a
Source: C:\Users\user\Desktop\W7e18p57es.exe File created: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization Jump to behavior
Source: W7e18p57es.exe Virustotal: Detection: 11%
Source: W7e18p57es.exe ReversingLabs: Detection: 13%
Source: W7e18p57es.exe String found in binary or memory: /LOADINF="filename"
Source: W7e18p57es.exe String found in binary or memory: -Helper process exited with failure code: 0x%x
Source: W7e18p57es.exe String found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
Source: W7e18p57es.exe String found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string
Source: W7e18p57es.exe String found in binary or memory: /LoadInf=
Source: C:\Users\user\Desktop\W7e18p57es.exe File read: C:\Users\user\Desktop\W7e18p57es.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\W7e18p57es.exe "C:\Users\user\Desktop\W7e18p57es.exe"
Source: C:\Users\user\Desktop\W7e18p57es.exe Process created: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp "C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp" /SL5="$204CE,3056353,780800,C:\Users\user\Desktop\W7e18p57es.exe"
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process created: C:\Users\user\Desktop\W7e18p57es.exe "C:\Users\user\Desktop\W7e18p57es.exe" /VERYSILENT
Source: C:\Users\user\Desktop\W7e18p57es.exe Process created: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp "C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp" /SL5="$204E4,3056353,780800,C:\Users\user\Desktop\W7e18p57es.exe" /VERYSILENT
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process created: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe "C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe" ignatia.a3x
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: unknown Process created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\ignatia.a3x"
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: unknown Process created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\Autoit3.exe" "C:\9e146be9-c76a-4720-bcdb-53011b87bd06\ignatia.a3x"
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
Source: C:\Users\user\Desktop\W7e18p57es.exe Process created: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp "C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp" /SL5="$204CE,3056353,780800,C:\Users\user\Desktop\W7e18p57es.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process created: C:\Users\user\Desktop\W7e18p57es.exe "C:\Users\user\Desktop\W7e18p57es.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Process created: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp "C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp" /SL5="$204E4,3056353,780800,C:\Users\user\Desktop\W7e18p57es.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process created: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe "C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe" ignatia.a3x Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: version.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: winmm.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: mpr.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: wininet.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: userenv.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: version.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: winmm.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: mpr.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: wininet.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: userenv.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Window found: window name: TMainForm Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: W7e18p57es.exe Static file information: File size 17781624 > 1048576
Source: W7e18p57es.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: c:\zlib-dll\Release\isunzlib.pdb source: W7e18p57es.tmp, 00000001.00000003.1314189446.00000000023D3000.00000004.00001000.00020000.00000000.sdmp, W7e18p57es.exe, _isdecmp.dll.1.dr, _isdecmp.dll.3.dr
PE file contains sections with non-standard names
Source: W7e18p57es.exe Static PE information: section name: .didata
Source: W7e18p57es.tmp.0.dr Static PE information: section name: .didata
Source: W7e18p57es.tmp.2.dr Static PE information: section name: .didata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 5_2_017141AB pushfd ; ret 5_2_017141E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 9_2_026141AB pushfd ; ret 9_2_026141E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Code function: 12_2_053941AB pushfd ; ret 12_2_053941E6
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp File created: C:\Users\user\AppData\Local\Temp\is-EGPSH.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp File created: C:\Users\user\AppData\Local\Temp\is-EGPSH.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp File created: C:\Users\user\AppData\Local\Temp\is-EGPSH.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe File created: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Jump to dropped file
Source: C:\Users\user\Desktop\W7e18p57es.exe File created: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp File created: C:\Users\user\AppData\Roaming\{5084E6691029}\is-SHAH3.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp File created: C:\Users\user\AppData\Local\Temp\is-7BM0S.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp File created: C:\Users\user\AppData\Local\Temp\is-7BM0S.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\Desktop\W7e18p57es.exe File created: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp File created: C:\Users\user\AppData\Local\Temp\is-7BM0S.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp File created: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe (copy) Jump to dropped file
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ignatia Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ignatia Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ignatia Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce ignatia Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\W7e18p57es.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 1710000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 2FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 2E00000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 2570000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 2770000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 2570000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 2E40000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 2E70000 memory reserve | memory write watch Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: 4E70000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Window / User API: threadDelayed 3339 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Window / User API: threadDelayed 6439 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EGPSH.tmp\_isetup\_iscrypt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EGPSH.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EGPSH.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7BM0S.tmp\_isetup\_isdecmp.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7BM0S.tmp\_isetup\_setup64.tmp Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-7BM0S.tmp\_isetup\_iscrypt.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -35971150943733603s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8776 Thread sleep count: 3339 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -59872s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8776 Thread sleep count: 6439 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -34929s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -59766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -59656s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -59547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -52672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -59438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -31650s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -59329s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -59219s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -59110s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -59000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -58891s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -58782s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -49080s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -58672s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -58559s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -48882s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -58438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -58257s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -58138s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -38438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -32398s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -57984s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -31714s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -57789s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -57688s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -47849s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -43686s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -57577s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -36436s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -57430s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -57328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -57218s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -57094s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -44360s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -33707s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -56985s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -39918s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -56875s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -56766s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -52856s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -56657s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -39851s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -56547s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -56438s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -39375s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -56328s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -56219s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -31744s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -56097s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -55969s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -52415s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -55860s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -55750s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -44692s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -55641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -39038s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -55532s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -55330s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -55185s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -54954s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -52081s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -54797s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -33711s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -54688s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -54574s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -54468s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -54339s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -54233s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -54123s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -59457s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -54015s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -53906s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -56306s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -41082s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -53786s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8744 Thread sleep time: -50618s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 8768 Thread sleep time: -53641s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 9088 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe TID: 4104 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 60000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 59872 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 34929 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 59766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 59656 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 59547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 52672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 59438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 31650 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 59329 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 59219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 59110 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 59000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 58891 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 58782 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 49080 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 58672 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 58559 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 48882 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 58438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 58257 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 58138 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 38438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 32398 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 57984 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 31714 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 57789 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 57688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 47849 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 43686 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 57577 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 36436 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 57430 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 57328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 57218 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 57094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 44360 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 33707 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 56985 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 39918 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 56875 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 56766 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 52856 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 56657 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 39851 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 56547 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 56438 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 39375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 56328 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 56219 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 31744 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 56097 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 55969 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 52415 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 55860 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 55750 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 44692 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 55641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 39038 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 55532 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 55330 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 55185 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 54954 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 52081 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 54797 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 33711 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 54688 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 54574 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 54468 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 54339 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 54233 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 54123 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 59457 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 54015 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 53906 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 56306 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 41082 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 53786 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 50618 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 53641 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: W7e18p57es.tmp, 00000001.00000002.1317996133.0000000000A76000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: W7e18p57es.tmp, 00000001.00000002.1317996133.0000000000A76000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: jsc.exe, 00000005.00000002.3777372209.0000000001389000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\is-KALMB.tmp\W7e18p57es.tmp Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: F40000 protect: page execute and read and write Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 720000 protect: page execute and read and write Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: F00000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: F40000 value starts with: 4D5A Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 720000 value starts with: 4D5A Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: F00000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: F40000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: CC6000 Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 720000 Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: 5F6000 Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: F00000 Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe base: C83000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\is-76J5C.tmp\W7e18p57es.tmp Process created: C:\Users\user\Desktop\W7e18p57es.exe "C:\Users\user\Desktop\W7e18p57es.exe" /VERYSILENT Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" Jump to behavior
Source: C:\9e146be9-c76a-4720-bcdb-53011b87bd06\AutoIt3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" Jump to behavior
Source: AutoIt3.exe, 00000004.00000000.1323000541.0000000000DA1000.00000002.00000001.01000000.0000000E.sdmp, AutoIt3.exe, 00000006.00000000.1413677514.0000000000B91000.00000002.00000001.01000000.00000010.sdmp, AutoIt3.exe, 0000000B.00000000.1499644151.0000000000B91000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\{5084E6691029}\AutoIt3.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 9.2.jsc.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.1475998533.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jsc.exe PID: 9016, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 9.2.jsc.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.1475998533.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jsc.exe PID: 9016, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: 9.2.jsc.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.1475998533.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jsc.exe PID: 9016, type: MEMORYSTR
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1643836 Sample: W7e18p57es.exe Startdate: 20/03/2025 Architecture: WINDOWS Score: 76 66 Malicious sample detected (through community Yara rule) 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected RedLine Stealer 2->70 10 W7e18p57es.exe 2 2->10         started        13 AutoIt3.exe 2->13         started        16 AutoIt3.exe 2->16         started        process3 file4 46 C:\Users\user\AppData\...\W7e18p57es.tmp, PE32 10->46 dropped 18 W7e18p57es.tmp 3 15 10->18         started        72 Writes to foreign memory regions 13->72 74 Allocates memory in foreign processes 13->74 76 Injects a PE file into a foreign processes 13->76 21 jsc.exe 1 13->21         started        23 jsc.exe 16->23         started        signatures5 process6 file7 38 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 18->38 dropped 40 C:\Users\user\AppData\Local\...\_isdecmp.dll, PE32 18->40 dropped 42 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 18->42 dropped 25 W7e18p57es.exe 2 18->25         started        process8 file9 44 C:\Users\user\AppData\...\W7e18p57es.tmp, PE32 25->44 dropped 28 W7e18p57es.tmp 5 18 25->28         started        process10 file11 48 C:\Users\user\AppData\...\AutoIt3.exe (copy), PE32 28->48 dropped 50 C:\Users\user\AppData\...\is-SHAH3.tmp, PE32 28->50 dropped 52 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 28->52 dropped 54 2 other files (none is malicious) 28->54 dropped 31 AutoIt3.exe 1 4 28->31         started        process12 file13 56 C:\...\AutoIt3.exe, PE32 31->56 dropped 60 Writes to foreign memory regions 31->60 62 Allocates memory in foreign processes 31->62 64 Injects a PE file into a foreign processes 31->64 35 jsc.exe 2 31->35         started        signatures14 process15 dnsIp16 58 172.86.72.81, 443, 49722, 49736 LAYER-HOSTUS United States 35->58
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.86.72.81
 unknown United States
46573 LAYER-HOSTUS false