Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
7bXVSwc9dp.exe

Overview

General Information

Sample name:7bXVSwc9dp.exe
renamed because original name is a hash value
Original sample name:0fb1f243d0254aec7a1f00afa1be6154.exe
Analysis ID:1386384
MD5:0fb1f243d0254aec7a1f00afa1be6154
SHA1:10e860876be173668ee1779f79b3fbba4ff5a0b1
SHA256:fac2721b3d0ca98c5f791e3eb14a1b89c3e567f3bce012e214d955bde2f00999
Tags:32exeRedLineStealertrojan
Infos:

Detection

PureLog Stealer, RedLine, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7bXVSwc9dp.exe (PID: 6188 cmdline: C:\Users\user\Desktop\7bXVSwc9dp.exe MD5: 0FB1F243D0254AEC7A1F00AFA1BE6154)
    • conhost.exe (PID: 5856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • qemu-ga.exe (PID: 2828 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" MD5: A5CE3ABA68BDB438E98B1D0C70A3D95C)
  • qemu-ga.exe (PID: 5800 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" MD5: A5CE3ABA68BDB438E98B1D0C70A3D95C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

No configs have been found

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2150137777.00000000010EE000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000002.2150137777.00000000010EE000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000000.00000002.2150298072.0000000001282000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
            00000000.00000002.2150298072.0000000001282000.00000020.00001000.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Click to see the 3 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.7bXVSwc9dp.exe.1280000.2.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                  0.2.7bXVSwc9dp.exe.1280000.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    0.2.7bXVSwc9dp.exe.1280000.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      0.2.7bXVSwc9dp.exe.1280000.2.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                      • 0x39e69:$s1: file:///
                      • 0x39dc5:$s2: {11111-22222-10009-11112}
                      • 0x39df9:$s3: {11111-22222-50001-00000}
                      • 0x3550a:$s4: get_Module
                      • 0x35889:$s5: Reverse
                      • 0x39082:$s6: BlockCopy
                      • 0x35ba5:$s7: ReadByte
                      • 0x39e7b:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                      0.2.7bXVSwc9dp.exe.10efb1c.1.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                        Click to see the 7 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Startup Folder File Write
                        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\7bXVSwc9dp.exe, ProcessId: 6188, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                        Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" , CommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe, NewProcessName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe, OriginalFileName: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe, ParentCommandLine: C:\Users\user\Desktop\7bXVSwc9dp.exe, ParentImage: C:\Users\user\Desktop\7bXVSwc9dp.exe, ParentProcessId: 6188, ParentProcessName: 7bXVSwc9dp.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" , ProcessId: 2828, ProcessName: qemu-ga.exe

                        Snort Signatures

                        Timestamp:192.168.2.545.15.156.12749704230002046045 02/04/24-19:36:00.311894
                        SID:2046045
                        Source Port:49704
                        Destination Port:23000
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:45.15.156.127192.168.2.523000497042046056 02/04/24-19:36:01.522245
                        SID:2046056
                        Source Port:23000
                        Destination Port:49704
                        Protocol:TCP
                        Classtype:A Network Trojan was detected

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeReversingLabs: Detection: 37%
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeVirustotal: Detection: 38%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: 7bXVSwc9dp.exeReversingLabs: Detection: 28%
                        Source: 7bXVSwc9dp.exeVirustotal: Detection: 31%Perma Link
                        Machine Learning detection for sample
                        Source: 7bXVSwc9dp.exeJoe Sandbox ML: detected
                        Source: 7bXVSwc9dp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 7bXVSwc9dp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_0048933A FindFirstFileExW,0_2_0048933A
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior

                        Networking

                        barindex
                        Snort IDS alert for network traffic
                        Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49704 -> 45.15.156.127:23000
                        Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 45.15.156.127:23000 -> 192.168.2.5:49704
                        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 45.15.156.127:23000
                        Source: Joe Sandbox ViewIP Address: 45.15.156.127 45.15.156.127
                        Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.000000000381A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $]qrC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152163170.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149342982.0000000001AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject1
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject1Response
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject1ResponseD
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject2
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject2Response
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject2ResponseD
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject3
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject3Response
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject3ResponseD
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2097739660.0000000004A58000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2096561582.0000000004A6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2097739660.0000000004A58000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2096561582.0000000004A6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2097739660.0000000004A58000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2096561582.0000000004A6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2097739660.0000000004A58000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2096561582.0000000004A6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2097739660.0000000004A58000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2096561582.0000000004A6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2097739660.0000000004A58000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2096561582.0000000004A6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2097739660.0000000004A58000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2096561582.0000000004A6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2097739660.0000000004A58000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2096561582.0000000004A6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2097739660.0000000004A58000.00000004.00000800.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2096561582.0000000004A6B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 0.2.7bXVSwc9dp.exe.1280000.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 0.2.7bXVSwc9dp.exe.10efb1c.1.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        Source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                        .NET source code contains very large array initializations
                        Source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_00481280 GetModuleHandleA,GetProcAddress,VirtualAlloc,NtUnmapViewOfSection,NtUnmapViewOfSection,LoadLibraryA,GetProcAddress,GetProcAddress,lstrlenW,CreateThread,Sleep,WaitForSingleObject,0_2_00481280
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_004810000_2_00481000
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_004905A10_2_004905A1
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_00482E900_2_00482E90
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_016B0B980_2_016B0B98
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_016B09000_2_016B0900
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_016B09100_2_016B0910
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_016B0B8A0_2_016B0B8A
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_0595EA180_2_0595EA18
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059550C00_2_059550C0
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059599000_2_05959900
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059599000_2_05959900
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059599000_2_05959900
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059AD0E80_2_059AD0E8
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059A00400_2_059A0040
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059A4D000_2_059A4D00
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059AEB600_2_059AEB60
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059BB3180_2_059BB318
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059B92C80_2_059B92C8
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059BAED80_2_059BAED8
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059B6E200_2_059B6E20
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059B65280_2_059B6528
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059BB7500_2_059BB750
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059C55920_2_059C5592
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059C55A00_2_059C55A0
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059C00060_2_059C0006
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_059C00400_2_059C0040
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_05FFE2D80_2_05FFE2D8
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_05FFB2180_2_05FFB218
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_05FFDB400_2_05FFDB40
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_05FFE2CB0_2_05FFE2CB
                        Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe 9B860BE98A046EA97A7F67B006E0B1BC9AB7731DD2A0F3A9FD3D710F6C43278A
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: String function: 004848F0 appears 33 times
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150632778.000000000142E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 7bXVSwc9dp.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150137777.00000000010EE000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHearths.exe" vs 7bXVSwc9dp.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 7bXVSwc9dp.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150347915.00000000012C2000.00000002.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameHearths.exe" vs 7bXVSwc9dp.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameqemu-ga.exe0 vs 7bXVSwc9dp.exe
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: 7bXVSwc9dp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 0.2.7bXVSwc9dp.exe.1280000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 0.2.7bXVSwc9dp.exe.10efb1c.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                        Source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, WdBnEYAg1nRyqJHbk0Q.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, WdBnEYAg1nRyqJHbk0Q.csCryptographic APIs: 'CreateDecryptor'
                        Source: classification engineClassification label: mal100.troj.adwa.spyw.evad.winEXE@5/2@0/1
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile created: C:\Users\user\AppData\Local\Microsoft\Wind?wsJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5856:120:WilError_03
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 7bXVSwc9dp.exeReversingLabs: Detection: 28%
                        Source: 7bXVSwc9dp.exeVirustotal: Detection: 31%
                        Source: unknownProcess created: C:\Users\user\Desktop\7bXVSwc9dp.exe C:\Users\user\Desktop\7bXVSwc9dp.exe
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32Jump to behavior
                        Source: 7bXVSwc9dp.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                        Source: 7bXVSwc9dp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, WdBnEYAg1nRyqJHbk0Q.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                        Source: qemu-ga.exe.0.drStatic PE information: 0x845C0092 [Mon May 14 15:26:10 2040 UTC]
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_00481280 GetModuleHandleA,GetProcAddress,VirtualAlloc,NtUnmapViewOfSection,NtUnmapViewOfSection,LoadLibraryA,GetProcAddress,GetProcAddress,lstrlenW,CreateThread,Sleep,WaitForSingleObject,0_2_00481280
                        Source: 7bXVSwc9dp.exeStatic PE information: section name: .TIAQk
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_00491570 push eax; ret 0_2_00491590
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_00490CB1 push ecx; ret 0_2_00490CC4
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_016BE0C3 pushad ; iretd 0_2_016BE249
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_0595E940 push ds; ret 0_2_0595EA16
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_05FFD590 push es; ret 0_2_05FFD5A0
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeCode function: 3_2_00007FF848F200BD pushad ; iretd 3_2_00007FF848F200C1
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeCode function: 5_2_00007FF848F400BD pushad ; iretd 5_2_00007FF848F400C1
                        Source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, WdBnEYAg1nRyqJHbk0Q.csHigh entropy of concatenated method names: 'Deym16AiJU', 'g38PJ8K3c0', 'bxAmNgpIsj', 'e1hmfGryNP', 'lwtmvR4TbI', 'gTTmjxPf2K', 'etPftZtnFF', 'k8lAkyS3d0', 'JTKAaFtTtb', 'ShGAiaNY5l'
                        Source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, jtvT30mIe4m7msKUQwZ.csHigh entropy of concatenated method names: 'VkGmG6avNL', 'ioJmo5Cece', 'G4Vmx95Kxx', 's2amJtTEpL', 'xc1mQF3iqc', 'GdGmEOsNfa', 'BKFmbRmVTI', 'Dutm8SOTEe', 'e3Am0acWmO', 'bJjmLl8bTU'
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeJump to dropped file

                        Boot Survival

                        barindex
                        Drops PE files to the startup folder
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeJump to dropped file
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                        Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: qemu-ga.exe, 00000003.00000002.3224563673.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3224439455.0000000002271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE0\MODULES;C:\PROGRAM FILES (X86)\AUTOIT3\AUTOITXPUBLIC=C:\USERS\PUBLICSESSIONNAME=CONSOLESYSTEMDRIVE=C:SYSTEMROOT=C:\WINDOWSTEMP=C:\USERS\user\APPDATA\LOCAL\TEMPT
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE@
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ILENAMEQEMU-GA.EXE0
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMENGSTATE_QEMU-GA.EXE_2828.TXT
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START MENU/PROGRAMS/STARTUP/QEMU-GA.EXE.CONFIGG
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE1
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEI
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEJ
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEH
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXEP
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEE
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXEL
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEF
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150137777.00000000010EE000.00000004.00000010.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150298072.0000000001282000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXER
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0\USAGELOGS\QEMU-GA.EXE.LOG
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXENH
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXES
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEN
                        Source: qemu-ga.exe, 00000003.00000002.3224563673.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3224439455.0000000002271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXE2!
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE" C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEWINSTA0\DEFAULT
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIG
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FQ\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIGL
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIG2.DLL
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ERNALNAMEQEMU-GA.EXEH
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.0000000000480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160807057.0000000005ACE000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149088208.0000000005ACD000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148749486.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2164115712.00000000072B8000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149036097.00000000072B7000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160159846.0000000005A76000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148475586.00000000072AA000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160584253.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148923577.0000000005AC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :QEMU-GA.EXE
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FQC:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE.CONFIG
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150388965.0000000001305000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE0
                        Source: qemu-ga.exe, 00000003.00000002.3224563673.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3224439455.0000000002271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: `C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIG`_!
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\MACHINE\SOFTWARE\CLASSES\APPLICATIONS\QEMU-GA.EXE
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]QYC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE,
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FQC:USERSuserAPPDATAROAMINGMICROSOFTWINDOWSSTART%20MENUPROGRAMSSTARTUPQEMU-GA.EXE.CONFIG!
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE*
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXEN
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE2
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE.CONFIGL
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE//C:USERSuserAPPDATAROAMINGMICROSOFTWINDOWSSTART%20MENUPROGRAMSSTARTUPQEMU-GA.EXESN
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXEJ
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: LNAMEQEMU-GA.EXEH
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FQC:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START MENU/PROGRAMS/STARTUP/QEMU-GA.EXE.CONFIGG&
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXEE
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /HC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE8
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIGG
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START%20MENU\PROGRAMS\STARTUP\QEMU-GA.EXE^J7~
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE35/T
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXENALFO0
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NALFILENAMEQEMU-GA.EXE0
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE{
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160807057.0000000005ACE000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149088208.0000000005ACD000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148749486.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2164115712.00000000072B8000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149036097.00000000072B7000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160159846.0000000005A76000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148475586.00000000072AA000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160584253.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXE
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160159846.0000000005A76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE:ZONE.IDENTIFIER
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: P,KC:\USERS\user\APPDATA\LOCALC:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0\USAGELOGS\QEMU-GA.EXE.LOGP
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMPMINGMICROSOFTWINDOWSSTART%20MENUPROGRAMSSTARTUPQEMU-GA.EXE
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START MENU/PROGRAMS/STARTUP/QEMU-GA.EXE
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160807057.0000000005ACE000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149088208.0000000005ACD000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148749486.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2164115712.00000000072B8000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149036097.00000000072B7000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160159846.0000000005A76000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148475586.00000000072AA000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160584253.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148923577.0000000005AC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXEH
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START MENU/PROGRAMS/STARTUP/QEMU-GA.EXEIG
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000000.2148231933.0000000000964000.00000002.00000001.01000000.00000007.sdmp, qemu-ga.exe.0.drBinary or memory string: ORIGINALFILENAMEQEMU-GA.EXE0
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160159846.0000000005A76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE:ZONE.IDENTIFIER?J
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:USERSuserAPPDATAROAMINGMICROSOFTWINDOWSSTART%20MENUPROGRAMSSTARTUPQEMU-GA.EXE.CONFIG!
                        Source: qemu-ga.exe, 00000005.00000002.3223981771.0000000000780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: XC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE]V
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150191036.0000000001190000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE\??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEEN-GBENEN-USMYAPPLICATION.APPBB.
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.WSF
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000000.2148231933.0000000000964000.00000002.00000001.01000000.00000007.sdmp, qemu-ga.exe.0.drBinary or memory string: INTERNALNAMEQEMU-GA.EXEH
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2164115712.00000000072B8000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149036097.00000000072B7000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148475586.00000000072AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEE
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIG
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE" C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEWINSTA0\DEFAULT
                        Source: qemu-ga.exe, 00000003.00000002.3224563673.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3224439455.0000000002271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXE.CONFIG
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\TEMP\ASLLOG_APPHELPDEBUG_QEMU-GA.EXE_2828.TXT P
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\MACHINE\SOFTWARE\CLASSES\APPLICATIONS\QEMU-GA.EXEOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEZL
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PQEMU-GA.EXE
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMDEBUGLOG_QEMU-GA.EXE_2828.TXT L
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150388965.0000000001305000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEWINSTA0\DEFAULT
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000002.3222786269.0000000000D20000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000002.3222653528.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3222573802.000000000015A000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.0000000000480000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223981771.0000000000780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE4
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEY
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE:
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QHC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE//C:USERSuserAPPDATAROAMINGMICROSOFTWINDOWSSTART%20MENUPROGRAMSSTARTUPQEMU-GA.EXE{HTX
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000000.2148201842.0000000000962000.00000002.00000001.01000000.00000007.sdmp, qemu-ga.exe.0.drBinary or memory string: <MODULE>QEMU-GAMSCORLIBTHREADCONSOLEREADLINEDEBUGGABLEATTRIBUTECOMVISIBLEATTRIBUTEASSEMBLYTITLEATTRIBUTEASSEMBLYTRADEMARKATTRIBUTETARGETFRAMEWORKATTRIBUTEASSEMBLYFILEVERSIONATTRIBUTEASSEMBLYCONFIGURATIONATTRIBUTEASSEMBLYDESCRIPTIONATTRIBUTECOMPILATIONRELAXATIONSATTRIBUTEASSEMBLYPRODUCTATTRIBUTEASSEMBLYCOPYRIGHTATTRIBUTEASSEMBLYCOMPANYATTRIBUTERUNTIMECOMPATIBILITYATTRIBUTEQEMU-GA.EXESYSTEM.THREADINGSYSTEM.RUNTIME.VERSIONINGPROGRAMSYSTEMMAINSYSTEM.REFLECTIONSLEEP.CTORSYSTEM.DIAGNOSTICSSYSTEM.RUNTIME.INTEROPSERVICESSYSTEM.RUNTIME.COMPILERSERVICESDEBUGGINGMODESARGSOBJECT
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIG
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEWU
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEWT
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeMemory allocated: 16B0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeMemory allocated: 3450000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeMemory allocated: 3350000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeMemory allocated: 2B50000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeMemory allocated: 1AE30000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeMemory allocated: 470000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeMemory allocated: 1A270000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWindow / User API: threadDelayed 2508Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWindow / User API: threadDelayed 4595Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindow / User API: threadDelayed 3122Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindow / User API: threadDelayed 6876Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindow / User API: threadDelayed 3222Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindow / User API: threadDelayed 6776Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exe TID: 5712Thread sleep time: -18446744073709540s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exe TID: 1864Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 3480Thread sleep count: 3122 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 3480Thread sleep time: -312200000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 3480Thread sleep count: 6876 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 3480Thread sleep time: -687600000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 6772Thread sleep count: 3222 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 6772Thread sleep time: -322200000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 6772Thread sleep count: 6776 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 6772Thread sleep time: -677600000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeLast function: Thread delayed
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_0048933A FindFirstFileExW,0_2_0048933A
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:/Users/user/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/qemu-ga.exe.configg
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exewt
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Registry\Machine\Software\Classes\Applications\qemu-ga.exeows\Start Menu\Programs\Startup\qemu-ga.exeZl
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\Temp\AslLog_ShimDebugLog_qemu-ga.exe_2828.txt l
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FQC:UsersuserAppDataRoamingMicrosoftWindowsStart%20MenuProgramsStartupqemu-ga.exe.config!
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeNh
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148475586.00000000072AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:n
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/qemu-ga.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000000.2148231933.0000000000964000.00000002.00000001.01000000.00000007.sdmp, qemu-ga.exe.0.drBinary or memory string: ProductNameqemu-ga4
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe4
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempT
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: p,KC:\Users\user\AppData\LocalC:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qemu-ga.exe.logP
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe:
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.config
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeY
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWu
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150137777.00000000010EE000.00000004.00000010.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150298072.0000000001282000.00000020.00001000.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWinsta0\Default
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.0000000000480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.config
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150388965.0000000001305000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWinsta0\Default
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160159846.0000000005A76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe:Zone.Identifier
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe1
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000000.2148231933.0000000000964000.00000002.00000001.01000000.00000007.sdmp, qemu-ga.exe.0.drBinary or memory string: InternalNameqemu-ga.exeH
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\assembly\NativeImages_v4.0.30319_64\qemu-ga\*
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150388965.0000000001305000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                        Source: qemu-ga.exe, 00000005.00000002.3225241930.00007FF848E34000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Iqemu-ga
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /HC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\TempmingMicrosoftWindowsStart%20MenuProgramsStartupqemu-ga.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160807057.0000000005ACE000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149088208.0000000005ACD000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148749486.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2164115712.00000000072B8000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149036097.00000000072B7000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160159846.0000000005A76000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148475586.00000000072AA000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160584253.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148923577.0000000005AC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: :qemu-ga.exe
                        Source: qemu-ga.exe, 00000003.00000002.3224563673.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3224439455.0000000002271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu@S
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000000.2148231933.0000000000964000.00000002.00000001.01000000.00000007.sdmp, qemu-ga.exe.0.drBinary or memory string: FileDescriptionqemu-ga0
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000000.2148231933.0000000000964000.00000002.00000001.01000000.00000007.sdmp, qemu-ga.exe.0.drBinary or memory string: OriginalFilenameqemu-ga.exe0
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160159846.0000000005A76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe:Zone.Identifier?j
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe{
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:UsersuserAppDataRoamingMicrosoftWindowsStart%20MenuProgramsStartupqemu-ga.exe.config!
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exC:P
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.WSF
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga.exep
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ilenameqemu-ga.exe0
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe0
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: qemu-ga.exe, 00000003.00000002.3224563673.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3224439455.0000000002271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qemu-ga.exe.config
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.config
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160807057.0000000005ACE000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149088208.0000000005ACD000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148749486.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2164115712.00000000072B8000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149036097.00000000072B7000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160159846.0000000005A76000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148475586.00000000072AA000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160584253.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qemu-ga.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lNameqemu-ga.exeH
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: H`4H\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exC:P
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ernalNameqemu-ga.exeH
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000002.3222786269.0000000000D20000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000002.3222653528.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3222573802.000000000015A000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.0000000000480000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223981771.0000000000780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                        Source: qemu-ga.exe, 00000003.00000002.3224563673.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3224439455.0000000002271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qemu-ga.exe2!
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160159846.0000000005A76000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\yj
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2164115712.00000000072B8000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149036097.00000000072B7000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148475586.00000000072AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: sers\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exee
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FQC:/Users/user/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/qemu-ga.exe.configg&
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000002.3225201926.00007FF848E14000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000000.2148201842.0000000000962000.00000002.00000001.01000000.00000007.sdmp, qemu-ga.exe, 00000005.00000002.3225241930.00007FF848E34000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe.0.drBinary or memory string: qemu-ga
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qemu-ga.exe.log
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150191036.0000000001190000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe\??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeen-GBenen-USMyApplication.appbb.
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160807057.0000000005ACE000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149088208.0000000005ACD000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148749486.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2164115712.00000000072B8000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2149036097.00000000072B7000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160159846.0000000005A76000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148475586.00000000072AA000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2160584253.0000000005AA1000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2148923577.0000000005AC1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga.exeH
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe.configl
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exen
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FQ\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.configL
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Registry\Machine\Software\Classes\Applications\qemu-ga.exe
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeh
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exee
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file//C:UsersuserAppDataRoamingMicrosoftWindowsStart%20MenuProgramsStartupqemu-ga.exe{HTx
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga.exee
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exei
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DBF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga.exen
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga.exej
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start%20Menu\Programs\Startup\qemu-ga.exe^J7~
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                        Source: qemu-ga.exe, 00000003.00000002.3224563673.0000000002E31000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3224439455.0000000002271000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: `C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.config`_!
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file//C:UsersuserAppDataRoamingMicrosoftWindowsStart%20MenuProgramsStartupqemu-ga.exeSN
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga6
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exel
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWinsta0\Default
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\Temp\AslLog_shimengstate_qemu-ga.exe_2828.txt
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/qemu-ga.exeig
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exer
                        Source: qemu-ga.exe, 00000005.00000002.3223981771.0000000000780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: xC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe]v
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeF
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QHC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeJ
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe@
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D50000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\Temp\AslLog_ApphelpDebug_qemu-ga.exe_2828.txt P
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000045AB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.config2.dll
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2080444288.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2079482540.00000000014B7000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014DB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe8
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FQC:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe.config
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]qYC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Isers\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qemu-
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2148970965.000000000149B000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000002.2150867701.000000000149C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nalFilenameqemu-ga.exe0
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.0000000003877000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000000.2148201842.0000000000962000.00000002.00000001.01000000.00000007.sdmp, qemu-ga.exe.0.drBinary or memory string: <Module>qemu-gamscorlibThreadConsoleReadLineDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeqemu-ga.exeSystem.ThreadingSystem.Runtime.VersioningProgramSystemMainSystem.ReflectionSleep.ctorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesDebuggingModesargsObject
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe2
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.0000000000489000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga.exenalfo0
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150906526.00000000014CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exeS
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000003.00000002.3223012208.0000000000D5C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe,
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.configg
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                        Source: qemu-ga.exe, 00000003.00000002.3223012208.0000000000DC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe*
                        Source: qemu-ga.exe, 00000005.00000002.3223167225.00000000004EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Pqemu-ga.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2155160486.00000000044BB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2160002093.00000000059F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe35/t
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_004870D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004870D3
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_00481280 GetModuleHandleA,GetProcAddress,VirtualAlloc,NtUnmapViewOfSection,NtUnmapViewOfSection,LoadLibraryA,GetProcAddress,GetProcAddress,lstrlenW,CreateThread,Sleep,WaitForSingleObject,0_2_00481280
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_00481280 mov eax, dword ptr fs:[00000030h]0_2_00481280
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_0048BA56 GetProcessHeap,0_2_0048BA56
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_0048482A SetUnhandledExceptionFilter,0_2_0048482A
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_004870D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004870D3
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_004846CE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004846CE
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_00484B23 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00484B23
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_00484935 cpuid 0_2_00484935
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeCode function: 0_2_004845B5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_004845B5
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2079066104.00000000072D8000.00000004.00000020.00020000.00000000.sdmp, 7bXVSwc9dp.exe, 00000000.00000003.2079312446.00000000072D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150632778.0000000001466000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ogramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.1280000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.10efb1c.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2150137777.00000000010EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2150298072.0000000001282000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.1280000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.10efb1c.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2150137777.00000000010EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2150298072.0000000001282000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 7bXVSwc9dp.exe PID: 6188, type: MEMORYSTR
                        Yara detected zgRAT
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.1280000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.10efb1c.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, type: UNPACKEDPE
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: hieplnfojfccegoloniefimmbfjdgcgp|Electrum
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: mhonjhhcgphdphdjcdoeodfdliikapmj|Jaxx Liberty
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2086057490.00000000059F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*w
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2086057490.00000000059F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*w
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2086057490.00000000059F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\*
                        Source: 7bXVSwc9dp.exe, 00000000.00000003.2086057490.00000000059F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*w
                        Source: 7bXVSwc9dp.exe, 00000000.00000002.2150137777.00000000010EE000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\Desktop\7bXVSwc9dp.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Source: Yara matchFile source: 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 7bXVSwc9dp.exe PID: 6188, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.1280000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.10efb1c.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2150137777.00000000010EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2150298072.0000000001282000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Yara detected RedLine Stealer
                        Source: Yara matchFile source: dump.pcap, type: PCAP
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.1280000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.10efb1c.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.2150137777.00000000010EE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2150298072.0000000001282000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2152685133.00000000034BB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 7bXVSwc9dp.exe PID: 6188, type: MEMORYSTR
                        Yara detected zgRAT
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.1280000.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.10efb1c.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.7bXVSwc9dp.exe.10efb1c.1.raw.unpack, type: UNPACKEDPE

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                        Windows Management Instrumentation                        		12
                        Registry Run Keys / Startup Folder                        		11
                        Process Injection                        		1
                        Masquerading                        		1
                        OS Credential Dumping                        		1
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		12
                        Registry Run Keys / Startup Folder                        		1
                        Disable or Modify Tools                        		LSASS Memory451
                        Security Software Discovery                        		Remote Desktop Protocol2
                        Data from Local System                        		1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                        DLL Side-Loading                        		241
                        Virtualization/Sandbox Evasion                        		Security Account Manager1
                        Process Discovery                        		SMB/Windows Admin Shares1
                        Clipboard Data                        		SteganographyAutomated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                        Process Injection                        		NTDS241
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                        Obfuscated Files or Information                        		Cached Domain Credentials3
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Software Packing                        		DCSync124
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Timestomp                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                        DLL Side-Loading                        		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.