Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Eclipse.exe

Overview

General Information

Sample name:Eclipse.exe
Analysis ID:1387875
MD5:e94abe514202de0a3e24c0f45ccea8a6
SHA1:27770fa35ea2ca6e1cd87f669e21f5e29cfaa381
SHA256:c11314504d04b9714c1c3992ca673486a5c8ac96b60fbc892b2f94204296b606
Tags:exe
Infos:

Detection

AsyncRAT, PureLog Stealer, RHADAMANTHYS, RedLine, XWorm, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected PureLog Stealer
Yara detected RHADAMANTHYS Stealer
Yara detected RUNPE
Yara detected RedLine Stealer
Yara detected UAC Bypass using CMSTP
Yara detected XWorm
Yara detected zgRAT
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Eclipse.exe (PID: 6356 cmdline: C:\Users\user\Desktop\Eclipse.exe MD5: E94ABE514202DE0A3E24C0F45CCEA8A6)
    • build.exe (PID: 6616 cmdline: "C:\Users\user\AppData\Local\Temp\build.exe" MD5: E5FB57E8214483FD395BD431CB3D1C4B)
      • conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • qemu-ga.exe (PID: 6976 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" MD5: A5CE3ABA68BDB438E98B1D0C70A3D95C)
    • Eclipse.exe (PID: 6808 cmdline: "C:\Users\user\AppData\Local\Temp\Eclipse.exe" MD5: D1B974D3816357532A0DE6B388C5C361)
      • main.exe (PID: 7004 cmdline: "C:\Users\user\AppData\Local\Temp\main.exe" MD5: E1E28C3ACF184AA364C9ED9A30AB7289)
        • dialer.exe (PID: 5264 cmdline: C:\Windows\system32\dialer.exe MD5: E4BD77FB64DDE78F1A95ECE09F6A9B85)
  • qemu-ga.exe (PID: 2696 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" MD5: A5CE3ABA68BDB438E98B1D0C70A3D95C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
RhadamanthysAccording to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search engine.
  • Sandworm
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: RedLine

{"C2 url": "45.15.156.127:23000"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Eclipse.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    Eclipse.exeJoeSecurity_XWormYara detected XWormJoe Security
      Eclipse.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        Eclipse.exeJoeSecurity_RUNPEYara detected RUNPEJoe Security
          Eclipse.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x965380:$s6: VirtualBox
          • 0x9dc2f1:$s6: VirtualBox
          • 0x13c443:$s8: Win32_ComputerSystem
          • 0x9651fb:$s8: Win32_ComputerSystem
          • 0x9dc132:$s8: Win32_ComputerSystem
          • 0x9e5e65:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x9e5eb6:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x9e5f43:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x9e620e:$cnc4: POST / HTTP/1.1

          PCAP (Network Traffic)

          SourceRuleDescriptionAuthorStrings
          dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
            dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

              Dropped Files

              SourceRuleDescriptionAuthorStrings
              C:\Users\user\AppData\Local\Temp\Eclipse.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                C:\Users\user\AppData\Local\Temp\Eclipse.exeJoeSecurity_XWormYara detected XWormJoe Security
                  C:\Users\user\AppData\Local\Temp\Eclipse.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    C:\Users\user\AppData\Local\Temp\Eclipse.exeJoeSecurity_RUNPEYara detected RUNPEJoe Security
                      C:\Users\user\AppData\Local\Temp\Eclipse.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                      • 0x8e1f2c:$s6: VirtualBox
                      • 0x958e9d:$s6: VirtualBox
                      • 0xb8fef:$s8: Win32_ComputerSystem
                      • 0x8e1da7:$s8: Win32_ComputerSystem
                      • 0x958cde:$s8: Win32_ComputerSystem
                      • 0x962a11:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                      • 0x962a62:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                      • 0x962aef:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                      • 0x962dba:$cnc4: POST / HTTP/1.1

                      Memory Dumps

                      SourceRuleDescriptionAuthorStrings
                      00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                        00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
                          00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                            00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
                            • 0x91f54:$s6: VirtualBox
                            • 0x108ec5:$s6: VirtualBox
                            • 0x91dcf:$s8: Win32_ComputerSystem
                            • 0x108d06:$s8: Win32_ComputerSystem
                            • 0x112a39:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
                            • 0x112a8a:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
                            • 0x112b17:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
                            • 0x112de2:$cnc4: POST / HTTP/1.1
                            00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                              Click to see the 61 entries

                              Unpacked PEs

                              SourceRuleDescriptionAuthorStrings
                              2.2.build.exe.11d0000.2.unpackJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
                                2.2.build.exe.11d0000.2.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                                  2.2.build.exe.11d0000.2.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                                    2.2.build.exe.11d0000.2.unpackMALWARE_Win_zgRATDetects zgRATditekSHen
                                    • 0x39e6d:$s1: file:///
                                    • 0x39dc9:$s2: {11111-22222-10009-11112}
                                    • 0x39dfd:$s3: {11111-22222-50001-00000}
                                    • 0x3550a:$s4: get_Module
                                    • 0x35889:$s5: Reverse
                                    • 0x39082:$s6: BlockCopy
                                    • 0x35ba5:$s7: ReadByte
                                    • 0x39e7f:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
                                    4.2.Eclipse.exe.40b854.2.raw.unpackJoeSecurity_RUNPEYara detected RUNPEJoe Security
                                      Click to see the 22 entries

                                      Sigma Signatures

                                      System Summary

                                      barindex
                                      Sigma detected: Startup Folder File Write
                                      Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\build.exe, ProcessId: 6616, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                                      Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil
                                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\build.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\build.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\build.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\build.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\build.exe, ParentCommandLine: C:\Users\user\Desktop\Eclipse.exe, ParentImage: C:\Users\user\Desktop\Eclipse.exe, ParentProcessId: 6356, ParentProcessName: Eclipse.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\build.exe" , ProcessId: 6616, ProcessName: build.exe

                                      Snort Signatures

                                      Timestamp:192.168.2.445.15.156.12749732230002046045 02/06/24-22:34:39.298551
                                      SID:2046045
                                      Source Port:49732
                                      Destination Port:23000
                                      Protocol:TCP
                                      Classtype:A Network Trojan was detected
                                      Timestamp:45.15.156.127192.168.2.423000497322046056 02/06/24-22:34:40.756235
                                      SID:2046056
                                      Source Port:23000
                                      Destination Port:49732
                                      Protocol:TCP
                                      Classtype:A Network Trojan was detected

                                      Joe Sandbox Signatures

                                      Click to jump to signature section

                                      Show All Signature Results

                                      AV Detection

                                      barindex
                                      Antivirus / Scanner detection for submitted sample
                                      Source: Eclipse.exeAvira: detected
                                      Antivirus detection for URL or domain
                                      Source: 45.15.156.127:23000Avira URL Cloud: Label: malware
                                      Source: https://95.214.55.177:2474/fae624c5418d6/black.apiAvira URL Cloud: Label: malware
                                      Antivirus detection for dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeAvira: detection malicious, Label: TR/Dropper.Gen
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeAvira: detection malicious, Label: TR/Dropper.Gen
                                      Found malware configuration
                                      Source: build.exe.6616.2.memstrminMalware Configuration Extractor: RedLine {"C2 url": "45.15.156.127:23000"}
                                      Multi AV Scanner detection for dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeReversingLabs: Detection: 95%
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeReversingLabs: Detection: 34%
                                      Multi AV Scanner detection for submitted file
                                      Source: Eclipse.exeReversingLabs: Detection: 92%
                                      Machine Learning detection for dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeJoe Sandbox ML: detected
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeJoe Sandbox ML: detected
                                      Machine Learning detection for sample
                                      Source: Eclipse.exeJoe Sandbox ML: detected

                                      Exploits

                                      barindex
                                      Yara detected UAC Bypass using CMSTP
                                      Source: Yara matchFile source: Eclipse.exe, type: SAMPLE
                                      Source: Yara matchFile source: 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1972454739.00000000050A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000000.1954302368.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000000.1938310489.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6356, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6808, type: MEMORYSTR
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Eclipse.exe, type: DROPPED
                                      Source: Eclipse.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                      Source: Binary string: wkernel32.pdb source: main.exe, 00000005.00000003.2006237385.0000000004A60000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2006055953.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2014548299.0000000005440000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2014378662.0000000005320000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: wkernelbase.pdb source: main.exe, 00000005.00000003.2007551741.0000000004B60000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2006850734.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2014885113.0000000005320000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2015207102.0000000005540000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: ntdll.pdb source: main.exe, 00000005.00000003.2003412116.0000000004940000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2003839971.0000000004B30000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2012924365.0000000005510000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2012485074.0000000005320000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: wntdll.pdbUGP source: main.exe, 00000005.00000003.2004969279.0000000004940000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2005410533.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2013494773.0000000005320000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2013957455.00000000054C0000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: ntdll.pdbUGP source: main.exe, 00000005.00000003.2003412116.0000000004940000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2003839971.0000000004B30000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2012924365.0000000005510000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2012485074.0000000005320000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: wntdll.pdb source: main.exe, 00000005.00000003.2004969279.0000000004940000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2005410533.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2013494773.0000000005320000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2013957455.00000000054C0000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: C:\Users\fondness\Desktop\Eclipse-RAT-main\Holy\Dark Worm\obj\Release\Eclipse.pdb source: Eclipse.exe, 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, Eclipse.exe, 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp
                                      Source: Binary string: wkernel32.pdbUGP source: main.exe, 00000005.00000003.2006237385.0000000004A60000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2006055953.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2014548299.0000000005440000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2014378662.0000000005320000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: wkernelbase.pdbUGP source: main.exe, 00000005.00000003.2007551741.0000000004B60000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2006850734.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2014885113.0000000005320000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2015207102.0000000005540000.00000004.00000001.00020000.00000000.sdmp
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                                      Networking

                                      barindex
                                      Snort IDS alert for network traffic
                                      Source: TrafficSnort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.4:49732 -> 45.15.156.127:23000
                                      Source: TrafficSnort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 45.15.156.127:23000 -> 192.168.2.4:49732
                                      C2 URLs / IPs found in malware configuration
                                      Source: Malware configuration extractorURLs: 45.15.156.127:23000
                                      Source: global trafficTCP traffic: 192.168.2.4:49732 -> 45.15.156.127:23000
                                      Source: Joe Sandbox ViewIP Address: 45.15.156.127 45.15.156.127
                                      Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: unknownTCP traffic detected without corresponding DNS query: 45.15.156.127
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $dq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: http://exmple.com%Open
                                      Source: Eclipse.exe, 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, Eclipse.exe, 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, Eclipse.exe.0.drString found in binary or memory: http://ip-api.com/csv/?fields=status
                                      Source: Eclipse.exe, 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, Eclipse.exe, 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, Eclipse.exe.0.drString found in binary or memory: http://ip-api.com/line/?fields=hosting
                                      Source: build.exe, 00000002.00000002.2171206892.000000000174E000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2169000240.000000000174D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://purl.oen
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject1
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject1Response
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject1ResponseD
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject2
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject2Response
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject2ResponseD
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject3
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject3Response
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/RestAPI/TreeObject3ResponseD
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                      Source: dialer.exe, 00000008.00000002.2046686584.0000000002E9C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: https://95.214.55.177:2474/fae624c5418d6/black.api
                                      Source: build.exe, 00000002.00000003.2126839769.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004376000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004487000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042CD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004242000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000435A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000425C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000043E7000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004403000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.000000000429B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.0000000004281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                                      Source: build.exe, 00000002.00000002.2172010947.0000000003161000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                                      Source: Eclipse.exe, 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, Eclipse.exe, 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, Eclipse.exe.0.drString found in binary or memory: https://api.telegram.org/bot
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://blackhatbrazil7.000webhostapp.com/payload/Onedrive1.exe
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://blackhatbrazil7.000webhostapp.com/payload/Onedrive2.exe
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://blackhatbrazil7.000webhostapp.com/payload/Onedrive3.exe
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://blackhatbrazil7.000webhostapp.com/payload/apatedns.exe
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://blackhatbrazil7.000webhostapp.com/payload/eclipse.exe
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://blackhatbrazil7.000webhostapp.com/payload/eclipserem.exe
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://blackhatbrazil7.000webhostapp.com/payload/prompt.exewhttps://blackhatbrazil7.000webhostapp.c
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://blackhatbrazil7.000webhostapp.com/payload/scheduler.exe
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://blackhatbrazil7.000webhostapp.com/payload/taskmgr.exe
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://blackhatbrazil7.000webhostapp.com/payload/virustotal.exe/StartMenuExperience.exewhttps://bla
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://blackhatbrazil7.000webhostapp.com/payload/wireshark.exe
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://cdn-149.bayfiles.com/OclcZ1l0z8/d0138fe2-1681783305/eclipse-ring0.exe
                                      Source: build.exe, 00000002.00000003.2126839769.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004376000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004487000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042CD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004242000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000435A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000425C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000043E7000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004403000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.000000000429B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.0000000004281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                                      Source: build.exe, 00000002.00000003.2126839769.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004376000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004487000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042CD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004242000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000435A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000425C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000043E7000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004403000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.000000000429B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.0000000004281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                                      Source: build.exe, 00000002.00000003.2126839769.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004376000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004487000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042CD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004242000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000435A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000425C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000043E7000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004403000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.000000000429B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.0000000004281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                      Source: build.exe, 00000002.00000003.2126839769.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004376000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004487000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042CD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004242000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000435A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000425C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000043E7000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004403000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.000000000429B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.0000000004281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                                      Source: build.exe, 00000002.00000003.2126839769.0000000004376000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000425C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004403000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.000000000429B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                                      Source: build.exe, 00000002.00000003.2126839769.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004487000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042CD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004242000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000435A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000043E7000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.0000000004281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtabS
                                      Source: build.exe, 00000002.00000003.2126839769.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004376000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004487000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042CD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004242000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000435A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000425C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000043E7000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004403000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.000000000429B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.0000000004281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                      Source: Eclipse.exe, 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, Eclipse.exe, 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, Eclipse.exe.0.drString found in binary or memory: https://hydromedusan-specia.000webhostapp.com/Jogo.exe
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://keyauth.win/api/1.0/
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://pastebin.com/
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://pastebin.com/raw/IP:PORT
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://pastebin.com/raw/Z7RmhSP8
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://t.me/PegasusOrganization
                                      Source: build.exe, 00000002.00000003.2126839769.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004376000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004487000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042CD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004242000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000435A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000425C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000043E7000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004403000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.000000000429B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.0000000004281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                                      Source: build.exe, 00000002.00000003.2126839769.00000000044BB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004376000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004487000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042CD000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000044D6000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004242000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000435A000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.000000000425C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.00000000043E7000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2126839769.0000000004403000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.000000000429B000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000003.2130487490.0000000004281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://www.google.com/maps/place/
                                      Source: Eclipse.exe, Eclipse.exe.0.drString found in binary or memory: https://www.upload.ee/download/15126763/c1ad687c728c1cc43e68/eclipse-0.exe

                                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                                      barindex
                                      Yara detected AsyncRAT
                                      Source: Yara matchFile source: Eclipse.exe, type: SAMPLE
                                      Source: Yara matchFile source: 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1972454739.00000000050A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000000.1954302368.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000000.1938310489.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6356, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6808, type: MEMORYSTR
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Eclipse.exe, type: DROPPED
                                      Source: main.exe, 00000005.00000003.2007551741.0000000004B60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DirectInput8Creatememstr_ac079524-f
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                                      Source: main.exe, 00000005.00000003.2007551741.0000000004B60000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_0233d94a-6
                                      Source: Yara matchFile source: 8.3.dialer.exe.5540000.7.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 8.3.dialer.exe.5320000.6.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 5.3.main.exe.4940000.6.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 5.3.main.exe.4b60000.7.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000008.00000003.2014885113.0000000005320000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000008.00000003.2015207102.0000000005540000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000005.00000003.2007551741.0000000004B60000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000005.00000003.2006850734.0000000004940000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: main.exe PID: 7004, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: dialer.exe PID: 5264, type: MEMORYSTR

                                      System Summary

                                      barindex
                                      Malicious sample detected (through community Yara rule)
                                      Source: Eclipse.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
                                      Source: 2.2.build.exe.11d0000.2.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                                      Source: 2.2.build.exe.10afae4.1.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                                      Source: 2.2.build.exe.10afae4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
                                      Source: 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                      Source: 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                      Source: 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                      Source: 00000000.00000002.1972454739.00000000050A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                      Source: 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                      Source: 00000004.00000000.1954302368.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                      Source: 00000000.00000000.1938310489.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                                      Source: Process Memory Space: Eclipse.exe PID: 6356, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                                      Source: Process Memory Space: Eclipse.exe PID: 6808, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exe, type: DROPPEDMatched rule: Detects AsyncRAT Author: ditekSHen
                                      .NET source code contains very large array initializations
                                      Source: 2.2.build.exe.10afae4.1.raw.unpack, Strings.csLarge array initialization: Strings: array initializer size 6160
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_00202CE02_2_00202CE0
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_0021E5B92_2_0021E5B9
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_02F40B982_2_02F40B98
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_02F40B892_2_02F40B89
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_02F409102_2_02F40910
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_02F409002_2_02F40900
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_0574E9402_2_0574E940
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057450B12_2_057450B1
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057458302_2_05745830
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057498EC2_2_057498EC
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057498EC2_2_057498EC
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057498EC2_2_057498EC
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057900402_2_05790040
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_0579D0E82_2_0579D0E8
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_05794D002_2_05794D00
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_0579EB602_2_0579EB60
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057AB3182_2_057AB318
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057A92C82_2_057A92C8
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057A6E202_2_057A6E20
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057AAED82_2_057AAED8
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057A65282_2_057A6528
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057B55A02_2_057B55A0
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057B55932_2_057B5593
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057B00402_2_057B0040
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057B00072_2_057B0007
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057F13002_2_057F1300
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057F5F782_2_057F5F78
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057F68482_2_057F6848
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057F12F12_2_057F12F1
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057F5C302_2_057F5C30
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_065B3F502_2_065B3F50
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_065B6FF82_2_065B6FF8
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_065B6FEA2_2_065B6FEA
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_065B68682_2_065B6868
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_065BF5982_2_065BF598
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_065BF5872_2_065BF587
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_2_00DF2F405_2_00DF2F40
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_2_00DF26405_2_00DF2640
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_2_00DF1A405_2_00DF1A40
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_2_00DF1FA05_2_00DF1FA0
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_2_00DF17105_2_00DF1710
                                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\main.exe 03C72CFABACE07B6787D2D1FD66D6D6D9A2FBCB74A827CA4AB7E59ABA40CB306
                                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe 9B860BE98A046EA97A7F67B006E0B1BC9AB7731DD2A0F3A9FD3D710F6C43278A
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: String function: 002099A0 appears 48 times
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: String function: 00205D90 appears 45 times
                                      Source: Eclipse.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (console) Intel 80386, for MS Windows
                                      Source: Eclipse.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                                      Source: Eclipse.exe, 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFlashDevelop.exe vs Eclipse.exe
                                      Source: Eclipse.exe, 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFlashDevelop.exe vs Eclipse.exe
                                      Source: Eclipse.exe, 00000004.00000002.1977993681.0000000002D7B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFlashDevelop.exe vs Eclipse.exe
                                      Source: Eclipse.exe, 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilenameFlashDevelop.exe vs Eclipse.exe
                                      Source: Eclipse.exe, 00000004.00000002.1977520819.000000000119E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameFlashDevelop.exe vs Eclipse.exe
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: shfolder.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: windows.storage.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: wldp.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: uxtheme.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: propsys.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: profapi.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: edputil.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: urlmon.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: iertutil.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: srvcli.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: netutils.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: sspicli.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: appresolver.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: bcp47langs.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: slc.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: userenv.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: sppc.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: mscoree.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: version.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: sspicli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: windows.storage.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: wldp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: profapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: cryptsp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: rsaenh.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: cryptbase.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: mswsock.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: wbemcomn.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: amsi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: userenv.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: uxtheme.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: secur32.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: edputil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: dpapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: windowscodecs.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: propsys.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: urlmon.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: iertutil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: srvcli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: netutils.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: appresolver.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: bcp47langs.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: slc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: sppc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: shfolder.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: windows.storage.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: wldp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: uxtheme.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: propsys.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: profapi.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: edputil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: urlmon.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: iertutil.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: srvcli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: netutils.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: sspicli.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: wintypes.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: appresolver.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: bcp47langs.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: slc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: userenv.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: sppc.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: tapi32.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: amsi.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: userenv.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: profapi.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: version.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: uxtheme.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: windows.storage.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wldp.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: sspicli.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: mpr.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: powrprof.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: umpdc.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: devobj.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: msasn1.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeSection loaded: wbemcomn.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: mscoree.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: apphelp.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: version.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: mscoree.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: kernel.appcore.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: version.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                      Source: Eclipse.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
                                      Source: Eclipse.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                      Source: 2.2.build.exe.11d0000.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                                      Source: 2.2.build.exe.10afae4.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                                      Source: 2.2.build.exe.10afae4.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                                      Source: 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                      Source: 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                      Source: 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                      Source: 00000000.00000002.1972454739.00000000050A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                      Source: 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                      Source: 00000004.00000000.1954302368.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                      Source: 00000000.00000000.1938310489.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                      Source: Process Memory Space: Eclipse.exe PID: 6356, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                      Source: Process Memory Space: Eclipse.exe PID: 6808, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exe, type: DROPPEDMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                                      Source: 2.2.build.exe.10afae4.1.raw.unpack, Strings.csCryptographic APIs: 'CreateDecryptor'
                                      Source: 2.2.build.exe.10afae4.1.raw.unpack, WdBnEYAg1nRyqJHbk0Q.csCryptographic APIs: 'CreateDecryptor'
                                      Source: 2.2.build.exe.10afae4.1.raw.unpack, WdBnEYAg1nRyqJHbk0Q.csCryptographic APIs: 'CreateDecryptor'
                                      Source: classification engineClassification label: mal100.troj.adwa.spyw.expl.evad.winEXE@13/5@0/1
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile created: C:\Users\user\AppData\Local\Microsoft\Wind?wsJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeMutant created: NULL
                                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6644:120:WilError_03
                                      Source: C:\Windows\SysWOW64\dialer.exeMutant created: \Sessions\1\BaseNamedObjects\MSCTF.Asm.{00000009-4fb3f26-9d18-66b568-627b8a85e4b6}
                                      Source: C:\Users\user\Desktop\Eclipse.exeFile created: C:\Users\user\AppData\Local\Temp\build.exeJump to behavior
                                      Source: Eclipse.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.87%
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                                      Source: C:\Users\user\Desktop\Eclipse.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                      Source: build.exe, 00000002.00000002.2172010947.000000000376C000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.0000000003746000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.000000000375E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                                      Source: Eclipse.exeReversingLabs: Detection: 92%
                                      Source: Eclipse.exeString found in binary or memory: bglqgirapporra%black-stop-icon-26
                                      Source: Eclipse.exeString found in binary or memory: KeyLogger5RunToolStripMenuItem.Image)RunToolStripMenuItem9StopToolStripMenuItem2.Image-StopToolStripMenuItem25GetToolStripMenuItem.Image)GetToolStripMenuItem
                                      Source: Eclipse.exeString found in binary or memory: Successfully!%Ngrok Installer : /Installed Successfully!
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeEvasive API call chain: __getmainargs,DecisionNodes,exit
                                      Source: unknownProcess created: C:\Users\user\Desktop\Eclipse.exe C:\Users\user\Desktop\Eclipse.exe
                                      Source: C:\Users\user\Desktop\Eclipse.exeProcess created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Source: C:\Users\user\Desktop\Eclipse.exeProcess created: C:\Users\user\AppData\Local\Temp\Eclipse.exe "C:\Users\user\AppData\Local\Temp\Eclipse.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeProcess created: C:\Users\user\AppData\Local\Temp\main.exe "C:\Users\user\AppData\Local\Temp\main.exe"
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeProcess created: C:\Windows\SysWOW64\dialer.exe C:\Windows\system32\dialer.exe
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                                      Source: C:\Users\user\Desktop\Eclipse.exeProcess created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe" Jump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeProcess created: C:\Users\user\AppData\Local\Temp\Eclipse.exe "C:\Users\user\AppData\Local\Temp\Eclipse.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeProcess created: C:\Users\user\AppData\Local\Temp\main.exe "C:\Users\user\AppData\Local\Temp\main.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeProcess created: C:\Windows\SysWOW64\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                                      Source: Eclipse.exeStatic file information: File size 12683776 > 1048576
                                      Source: Eclipse.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xc16800
                                      Source: Binary string: wkernel32.pdb source: main.exe, 00000005.00000003.2006237385.0000000004A60000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2006055953.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2014548299.0000000005440000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2014378662.0000000005320000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: wkernelbase.pdb source: main.exe, 00000005.00000003.2007551741.0000000004B60000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2006850734.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2014885113.0000000005320000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2015207102.0000000005540000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: ntdll.pdb source: main.exe, 00000005.00000003.2003412116.0000000004940000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2003839971.0000000004B30000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2012924365.0000000005510000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2012485074.0000000005320000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: wntdll.pdbUGP source: main.exe, 00000005.00000003.2004969279.0000000004940000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2005410533.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2013494773.0000000005320000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2013957455.00000000054C0000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: ntdll.pdbUGP source: main.exe, 00000005.00000003.2003412116.0000000004940000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2003839971.0000000004B30000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2012924365.0000000005510000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2012485074.0000000005320000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: wntdll.pdb source: main.exe, 00000005.00000003.2004969279.0000000004940000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2005410533.0000000004AE0000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2013494773.0000000005320000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2013957455.00000000054C0000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: C:\Users\fondness\Desktop\Eclipse-RAT-main\Holy\Dark Worm\obj\Release\Eclipse.pdb source: Eclipse.exe, 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, Eclipse.exe, 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp
                                      Source: Binary string: wkernel32.pdbUGP source: main.exe, 00000005.00000003.2006237385.0000000004A60000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2006055953.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2014548299.0000000005440000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2014378662.0000000005320000.00000004.00000001.00020000.00000000.sdmp
                                      Source: Binary string: wkernelbase.pdbUGP source: main.exe, 00000005.00000003.2007551741.0000000004B60000.00000004.00000001.00020000.00000000.sdmp, main.exe, 00000005.00000003.2006850734.0000000004940000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2014885113.0000000005320000.00000004.00000001.00020000.00000000.sdmp, dialer.exe, 00000008.00000003.2015207102.0000000005540000.00000004.00000001.00020000.00000000.sdmp

                                      Data Obfuscation

                                      barindex
                                      .NET source code contains method to dynamically call methods (often used by packers)
                                      Source: 2.2.build.exe.10afae4.1.raw.unpack, WdBnEYAg1nRyqJHbk0Q.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                                      Source: qemu-ga.exe.2.drStatic PE information: 0x845C0092 [Mon May 14 15:26:10 2040 UTC]
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_00202F90 VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,lstrlenW,CreateThread,Sleep,WaitForSingleObject,2_2_00202F90
                                      Source: main.exe.4.drStatic PE information: section name: .textbss
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_00205710 push eax; ret 2_2_00205C31
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_00221C15 push ecx; ret 2_2_00221C28
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_02F4E0CA pushad ; iretd 2_2_02F4E249
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_02F4B590 push 00000005h; ret 2_2_02F4B5A0
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_02F4CF48 push 00000005h; ret 2_2_02F4D266
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_05746574 push eax; retf 2_2_05746575
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_05742C02 push 04BFE871h; iretd 2_2_05742C07
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_05742F2C push 0195E871h; iretd 2_2_05742F31
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_0574297B push 0744E871h; iretd 2_2_05742982
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_05742B0C push 05B5E871h; iretd 2_2_05742B11
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_05742A69 push 064BE871h; iretd 2_2_05742A7B
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057974D0 push 00000005h; ret 2_2_057974E0
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057FD690 push es; ret 2_2_057FD6A0
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057F3058 pushad ; iretd 2_2_057F3059
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_057FD37C push 5D43E871h; ret 2_2_057FD383
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_065B62C1 push es; ret 2_2_065B62D0
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_065B49AB push FFFFFF8Bh; retf 2_2_065B49AD
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_3_00E03AF4 pushad ; retf 5_3_00E03B03
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_3_00E04285 push F693B671h; retf 5_3_00E0428A
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_3_00E05C52 push dword ptr [edx+ebp+3Bh]; retf 5_3_00E05C5F
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_3_00E03DCE push edi; iretd 5_3_00E03DD5
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_3_00E0216F push ecx; iretd 5_3_00E0217B
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_3_00E0457C push esi; ret 5_3_00E04580
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_3_00E04F48 push es; ret 5_3_00E04F49
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_3_00E00F4E push eax; retf 5_3_00E00F4F
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_3_00E0212F pushad ; ret 5_3_00E02137
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_2_00E05C52 push dword ptr [edx+ebp+3Bh]; retf 5_2_00E05C5F
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_2_00E03DCE push edi; iretd 5_2_00E03DD5
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_2_00E0216F push ecx; iretd 5_2_00E0217B
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_2_00E0457C push esi; ret 5_2_00E04580
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_2_00E0212F pushad ; ret 5_2_00E02137
                                      Source: 2.2.build.exe.10afae4.1.raw.unpack, WdBnEYAg1nRyqJHbk0Q.csHigh entropy of concatenated method names: 'Deym16AiJU', 'g38PJ8K3c0', 'bxAmNgpIsj', 'e1hmfGryNP', 'lwtmvR4TbI', 'gTTmjxPf2K', 'etPftZtnFF', 'k8lAkyS3d0', 'JTKAaFtTtb', 'ShGAiaNY5l'
                                      Source: 2.2.build.exe.10afae4.1.raw.unpack, jtvT30mIe4m7msKUQwZ.csHigh entropy of concatenated method names: 'VkGmG6avNL', 'ioJmo5Cece', 'G4Vmx95Kxx', 's2amJtTEpL', 'xc1mQF3iqc', 'GdGmEOsNfa', 'BKFmbRmVTI', 'Dutm8SOTEe', 'e3Am0acWmO', 'bJjmLl8bTU'
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeJump to dropped file
                                      Source: C:\Users\user\Desktop\Eclipse.exeFile created: C:\Users\user\AppData\Local\Temp\build.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeFile created: C:\Users\user\AppData\Local\Temp\main.exeJump to dropped file
                                      Source: C:\Users\user\Desktop\Eclipse.exeFile created: C:\Users\user\AppData\Local\Temp\Eclipse.exeJump to dropped file

                                      Boot Survival

                                      barindex
                                      Yara detected AsyncRAT
                                      Source: Yara matchFile source: Eclipse.exe, type: SAMPLE
                                      Source: Yara matchFile source: 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1972454739.00000000050A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000000.1954302368.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000000.1938310489.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6356, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6808, type: MEMORYSTR
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Eclipse.exe, type: DROPPED
                                      Drops PE files to the startup folder
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeJump to dropped file
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                                      Malware Analysis System Evasion

                                      barindex
                                      Yara detected AntiVM3
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6356, type: MEMORYSTR
                                      Yara detected AsyncRAT
                                      Source: Yara matchFile source: Eclipse.exe, type: SAMPLE
                                      Source: Yara matchFile source: 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1972454739.00000000050A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000000.1954302368.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000000.1938310489.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6356, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6808, type: MEMORYSTR
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Eclipse.exe, type: DROPPED
                                      Yara detected RUNPE
                                      Source: Yara matchFile source: Eclipse.exe, type: SAMPLE
                                      Source: Yara matchFile source: 4.2.Eclipse.exe.40b854.2.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 0.0.Eclipse.exe.48eca8.2.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 0.3.Eclipse.exe.3cbca7c.1.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 0.2.Eclipse.exe.40b854.2.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 0.2.Eclipse.exe.48eca8.1.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 0.2.Eclipse.exe.485ca7c.5.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 0.1.Eclipse.exe.48eca8.0.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 0.0.Eclipse.exe.40b854.1.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 0.1.Eclipse.exe.40b854.1.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 4.1.Eclipse.exe.40b854.0.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 4.0.Eclipse.exe.40b854.2.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000000.00000003.1957687746.0000000003CB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000000.1954302368.0000000000408000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000002.1968839571.0000000000408000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1962250742.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000001.1940704451.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000001.1957783592.0000000000408000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1972454739.0000000004858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000000.1938310489.0000000000408000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000003.1957976057.0000000002D30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6356, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6808, type: MEMORYSTR
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Eclipse.exe, type: DROPPED
                                      Checks if the current machine is a virtual machine (disk enumeration)
                                      Source: C:\Windows\SysWOW64\dialer.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                                      Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\TEMPROSOFT\WINDOWS\START%20MENU\PROGRAMS\STARTUP\QEMU-GA.EXEWQ{_
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE//C:USERSuserAPPDATAROAMINGMICROSOFTWINDOWSSTART%20MENUPROGRAMSSTARTUPQEMU-GA.EXE
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE(
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AUTORUNSC.EXE
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMDEBUGLOG_QEMU-GA.EXE_6976.TXT
                                      Source: Eclipse.exe, Eclipse.exe.0.drBinary or memory string: HTTPS://BLACKHATBRAZIL7.000WEBHOSTAPP.COM/PAYLOAD/WIRESHARK.EXE
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X64DBG.EXE
                                      Source: build.exe, 00000002.00000002.2177974978.0000000005887000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEE}
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000001088000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIG
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMENGSTATE_QEMU-GA.EXE_6976.TXT
                                      Source: build.exe, 00000002.00000002.2169612865.0000000000DC0000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEEN-GBENEN-USMYAPPLICATION.APP
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.0000000000550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: U04U\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE:\P
                                      Source: build.exe, 00000002.00000002.2169800536.00000000011D2000.00000020.00001000.00020000.00000000.sdmp, build.exe, 00000002.00000002.2169700246.00000000010AE000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE
                                      Source: build.exe, 00000002.00000003.2167516937.00000000058CA000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2178030788.00000000058CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE:ZONE.IDENTIFIERWQA
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3189975825.0000000000550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"
                                      Source: qemu-ga.exe, 0000000A.00000002.3192743549.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3191753203.00000000021B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: XC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                                      Source: build.exe, 00000002.00000003.2167516937.00000000058CA000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167944675.0000000007278000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181998736.0000000007279000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2178030788.00000000058CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A=QEMU-GA.EXE
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE" C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEWINSTA0\DEFAULT
                                      Source: qemu-ga.exe, 0000000B.00000002.3191255636.00000000007E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \QEMU-GA.EXE0
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE
                                      Source: build.exe, 00000002.00000002.2177714252.0000000005820000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXEQEMU-GA.EXE
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: RTUP\QEMU-GA.EXE.CONFIG
                                      Source: build.exe, 00000002.00000002.2177974978.0000000005887000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \REGISTRY\MACHINE\SOFTWARE\CLASSES\APPLICATIONS\QEMU-GA.EXE
                                      Source: build.exe, 00000002.00000002.2170916987.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167695116.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXEUB
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEXE
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QQP']QEMU-GA.EXE
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\TEMP\ASLLOG_APPHELPDEBUG_QEMU-GA.EXE_6976.TXT
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: REGMON.EXE
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE
                                      Source: Eclipse.exe, 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, Eclipse.exe, 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, Eclipse.exe.0.drBinary or memory string: IF GETMODULEHANDLE("SBIEDLL.DLL").TOINT32() <> 0 THEN
                                      Source: qemu-ga.exe, 0000000A.00000002.3192743549.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3191753203.00000000021B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXE2
                                      Source: build.exe, 00000002.00000002.2170916987.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167695116.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE" ?A
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $DQXC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE:\P
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.000000000055F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXENEDRIVE%
                                      Source: build.exe, 00000002.00000002.2169975556.00000000012C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\DESKTOP\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE" C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE246WINSTA0\DEFAULT-24=::=::\ALLUSERSPROFILE=C:\PROGRAMDATAAPPDATA=C:\USERS\user\APPDATA\ROAMINGCOMMONPROGRAMFILES=C:\PROGRAM FILES\COMMON FILESCOMMONPROGRAMFILES(X86)=C:\PROGRAM FILES (X86)\COMMON FILESCOMMONPROGRAMW6432=C:\PROGRAM FILES\COMMON FILESCOMPUTERNAME=user-PCCOMSPEC=C:\WINDOWS\SYSTEM32\CMD.EXEDRIVERDATA=C:\WINDOWS\SYSTEM32\DRIVERS\DRIVERDATAFPS_BROWSER_APP_PROFILE_STRING=INTERNET EXPLORERFPS_BROWSER_USER_PROFILE_STRING=DEFAULTHOMEDRIVE=C:HOMEPATH=\USERS\userLOCALAPPDATA=C:\USERS\user\APPDATA\LOCALLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2ONEDRIVE=C:\USERS\user\ONEDRIVEOS=WINDOWS_NTPATH=C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH;C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWS\SYSTEM32\WBEM;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\;C:\WINDOWS\SYSTEM32\OPENSSH\;C:\USERS\user\APPDATA\LOCAL\MICROSOFT\WINDOWSAPPS;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=INTEL64 FAMILY 6 MODEL 143 STEPPING 8, GENUINEINTELPROCESSOR_LEVEL=6PROCESSOR_REVISION=8F08PROGRAMDATA=C:\PROGRAMDATAPROGRAMFILES=C:\PROGRAM FILESPROGRAMFILES(X86)=C:\PROGRAM FILES (X86)PROGRAMW6432=C:\PROGRAM FILESPSMODULEPATH=C:\PROGRAM FILES (X86)\WINDOWSPOWERSHELL\MODULES;C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\MODULES;C:\PROGRAM FILES (X86)\AUTOIT3\AUTOITXPUBLIC=C:\USERS\PUBLICSESSIONNAME=CONSOLESYSTEMDRIVE=C:SYSTEMROOT=C:\WINDOWSTEMP=C:\USERS\user\APPDATA\LOCAL\TEMPTMP=C:\USERS\user\APPDATA\LOCAL\TEMPUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\USERS\userWINDIR=C:\WINDOWS
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WINDANR.EXE
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.000000000055F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                                      Source: build.exe, 00000002.00000003.2167944675.0000000007278000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181998736.0000000007279000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3190800898.0000000001063000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3189632231.0000000000B7A000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3190800898.000000000108F000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000000.2167244123.0000000000A32000.00000002.00000001.01000000.0000000A.sdmp, qemu-ga.exe, 0000000B.00000002.3189555797.000000000019A000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXE
                                      Source: build.exe, 00000002.00000002.2170916987.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167695116.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEE6
                                      Source: build.exe, 00000002.00000003.2167516937.00000000058CA000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2178030788.00000000058CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE:ZONE.IDENTIFIERWQ
                                      Source: build.exe, 00000002.00000002.2170916987.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167695116.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE?C
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE0
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3189975825.000000000055F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0\USAGELOGS\QEMU-GA.EXE.LOG
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEXQ@
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ']QEMU-GA.EXEIX
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2169612865.0000000000DC0000.00000004.00000020.00040000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3190800898.0000000001063000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3190138659.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.000000000108F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START MENU/PROGRAMS/STARTUP/QEMU-GA.EXEIG
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEXQ
                                      Source: build.exe, 00000002.00000003.2167944675.0000000007278000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181998736.0000000007279000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXEH
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEE
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEF}
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000000.2167276846.0000000000A34000.00000002.00000001.01000000.0000000A.sdmp, qemu-ga.exe.2.drBinary or memory string: ORIGINALFILENAMEQEMU-GA.EXE0
                                      Source: build.exe, 00000002.00000002.2170916987.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167695116.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEYJYXD
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.000000000055F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEWINDOWSAPPS;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=INTEL64 FAMILY 6 MODEL 143 STEPPING 8, GENUINEV
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START MENU/PROGRAMS/STARTUP/QEMU-GA.EXEE
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MP.EXEX64DBG.EXEX32DBG.EXEOLLYDBG.EXEPROCESSHA
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEBDE
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.000000000105E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXEN&>J
                                      Source: build.exe, 00000002.00000002.2170916987.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167695116.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000000.2167276846.0000000000A34000.00000002.00000001.01000000.0000000A.sdmp, qemu-ga.exe.2.drBinary or memory string: INTERNALNAMEQEMU-GA.EXEH
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXEAUTORUNSC.EXERESOURCEHACKER.EXEFILEMON.EXEREGMON.EXEWINDANR.EXE
                                      Source: qemu-ga.exe, 0000000B.00000002.3189555797.000000000019A000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3189975825.000000000055F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEU
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.000000000108F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START MENU/PROGRAMS/STARTUP/QEMU-GA.EXE.CONFIGG
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEX
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEZG
                                      Source: qemu-ga.exe, 0000000A.00000002.3192743549.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3191753203.00000000021B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXE.CONFIG
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EVERYWHERE.EXEFIDDLER.EXEIDA.EXEIDA64.EXEIMMU""
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEVG
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.0000000000550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TUC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEX
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.0000000000550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE" C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEWINSTA0\DEFAULT
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXET
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEL
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QEMU-GA.EXEJC
                                      Source: Eclipse.exe, 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, Eclipse.exe, 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, Eclipse.exe.0.drBinary or memory string: IF GETMODULEHANDLE("SBIEDLL.DLL").TOINT32() <> 0 THEN
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXEX
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEXQ8
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIGV
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE_
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TORUNS.EXEDUMPCAP.EXEDE4
                                      Source: qemu-ga.exe, 0000000A.00000002.3192743549.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3191753203.00000000021B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: _C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIG`_
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXELES;C:\PROGRAM FILES (X86)\AUTOIT3\AUTOITXPUBLIC=C:\USERS\PUBLICSESSIONNAME=CONSOLESYSTEMDRIVE=C:SYSTEMROOT=C:\WINDOWSTEMP=C:\USERS\user\APPDATA\LOCAL\TEMPTMP=C:\US
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIGG
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $DQXC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEH*F
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000000.2167244123.0000000000A32000.00000002.00000001.01000000.0000000A.sdmp, qemu-ga.exe.2.drBinary or memory string: <MODULE>QEMU-GAMSCORLIBTHREADCONSOLEREADLINEDEBUGGABLEATTRIBUTECOMVISIBLEATTRIBUTEASSEMBLYTITLEATTRIBUTEASSEMBLYTRADEMARKATTRIBUTETARGETFRAMEWORKATTRIBUTEASSEMBLYFILEVERSIONATTRIBUTEASSEMBLYCONFIGURATIONATTRIBUTEASSEMBLYDESCRIPTIONATTRIBUTECOMPILATIONRELAXATIONSATTRIBUTEASSEMBLYPRODUCTATTRIBUTEASSEMBLYCOPYRIGHTATTRIBUTEASSEMBLYCOMPANYATTRIBUTERUNTIMECOMPATIBILITYATTRIBUTEQEMU-GA.EXESYSTEM.THREADINGSYSTEM.RUNTIME.VERSIONINGPROGRAMSYSTEMMAINSYSTEM.REFLECTIONSLEEP.CTORSYSTEM.DIAGNOSTICSSYSTEM.RUNTIME.INTEROPSERVICESSYSTEM.RUNTIME.COMPILERSERVICESDEBUGGINGMODESARGSOBJECT
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeMemory allocated: 2F40000 memory reserve | memory write watchJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeMemory allocated: 3160000 memory reserve | memory write watchJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeMemory allocated: 30B0000 memory reserve | memory write watchJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeMemory allocated: F70000 memory reserve | memory write watchJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeMemory allocated: 1AD20000 memory reserve | memory write watchJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeMemory allocated: 780000 memory reserve | memory write watchJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeMemory allocated: 1A1B0000 memory reserve | memory write watchJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeThread delayed: delay time: 922337203685477Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeThread delayed: delay time: 922337203685477Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWindow / User API: threadDelayed 1256Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWindow / User API: threadDelayed 4751Jump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindow / User API: threadDelayed 1928Jump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindow / User API: threadDelayed 8070Jump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindow / User API: threadDelayed 3849Jump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindow / User API: threadDelayed 6148Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeAPI coverage: 9.2 %
                                      Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 7036Thread sleep time: -12912720851596678s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exe TID: 6900Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 6972Thread sleep count: 1928 > 30Jump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 6972Thread sleep time: -192800000s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 6972Thread sleep count: 8070 > 30Jump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 6972Thread sleep time: -807000000s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 3520Thread sleep count: 3849 > 30Jump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 3520Thread sleep time: -384900000s >= -30000sJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 3520Thread sleep count: 6148 > 30Jump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 3520Thread sleep time: -614800000s >= -30000sJump to behavior
                                      Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                                      Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                      Source: C:\Windows\SysWOW64\dialer.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeLast function: Thread delayed
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeLast function: Thread delayed
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeLast function: Thread delayed
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeLast function: Thread delayed
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeThread delayed: delay time: 922337203685477Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeThread delayed: delay time: 922337203685477Jump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeThread delayed: delay time: 100000Jump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeThread delayed: delay time: 100000Jump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeThread delayed: delay time: 100000Jump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeThread delayed: delay time: 100000Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                                      Source: build.exe, 00000002.00000003.2167516937.00000000058CA000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2178030788.00000000058CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe:Zone.IdentifierwqA
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $dqXC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeh*F
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000000.2167276846.0000000000A34000.00000002.00000001.01000000.0000000A.sdmp, qemu-ga.exe.2.drBinary or memory string: ProductNameqemu-ga4
                                      Source: build.exe, 00000002.00000003.2167516937.00000000058CA000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2178030788.00000000058CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe:Zone.Identifierwq
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe0
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe(
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3189975825.0000000000550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.000000000108F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/qemu-ga.exeig
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Windows\Start Menu\Programs\Startup\qemu-ga.exe.configg
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.000000000105E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga.exen&>J
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exezg
                                      Source: build.exe, 00000002.00000002.2169800536.00000000011D2000.00000020.00001000.00020000.00000000.sdmp, build.exe, 00000002.00000002.2169700246.00000000010AE000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3189975825.000000000055F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qemu-ga.exe.log
                                      Source: build.exe, 00000002.00000002.2169975556.00000000012C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe246Winsta0\Default-24=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, GenuineIntelPROCESSOR_LEVEL=6PROCESSOR_REVISION=8f08ProgramData=C:\ProgramDataProgramFiles=C:\Program FilesProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
                                      Source: build.exe, 00000002.00000002.2177974978.0000000005887000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000001088000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.config
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\Temp\AslLog_ShimDebugLog_qemu-ga.exe_6976.txt
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.0000000000550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: TUC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\Temp\AslLog_shimengstate_qemu-ga.exe_6976.txt
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000000.2167276846.0000000000A34000.00000002.00000001.01000000.0000000A.sdmp, qemu-ga.exe.2.drBinary or memory string: InternalNameqemu-ga.exeH
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000001063000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Windows\assembly\NativeImages_v4.0.30319_64\qemu-ga\*
                                      Source: qemu-ga.exe, 0000000A.00000002.3192743549.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3191753203.00000000021B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qemu-ga.exe2
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\Temp\AslLog_ApphelpDebug_qemu-ga.exe_6976.txt
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.0000000000550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: U04U\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe:\P
                                      Source: qemu-ga.exe, 0000000A.00000002.3192743549.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3191753203.00000000021B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: _C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.config`_
                                      Source: qemu-ga.exe, 0000000B.00000002.3189555797.000000000019A000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeu
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exel
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeBdE
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000000.2167276846.0000000000A34000.00000002.00000001.01000000.0000000A.sdmp, qemu-ga.exe.2.drBinary or memory string: FileDescriptionqemu-ga0
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.0000000000550000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWinsta0\Default
                                      Source: Eclipse.exe, 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, Eclipse.exe, 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, Eclipse.exe.0.drBinary or memory string: If DetectVirtualMachine() Then Environment.FailFast(Nothing)
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: roductNameqemu-ga4
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2169612865.0000000000DC0000.00000004.00000020.00040000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3190800898.0000000001063000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3190138659.0000000000F50000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000000.2167276846.0000000000A34000.00000002.00000001.01000000.0000000A.sdmp, qemu-ga.exe.2.drBinary or memory string: OriginalFilenameqemu-ga.exe0
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.000000000108F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:/Users/user/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/qemu-ga.exe.configg
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exee
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exexq@
                                      Source: build.exe, 00000002.00000002.2170916987.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167695116.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exee6
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe_
                                      Source: qemu-ga.exe, 0000000B.00000002.3192529967.00007FFD9B994000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ]qemu-ga
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeX
                                      Source: build.exe, 00000002.00000002.2177974978.0000000005887000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: uC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exee}
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.configv
                                      Source: qemu-ga.exe, 0000000A.00000002.3192743549.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3191753203.00000000021B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: XC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                                      Source: build.exe, 00000002.00000002.2170916987.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167695116.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exeub
                                      Source: dialer.exe, 00000008.00000003.2015207102.0000000005540000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: EnableGuestVmNetworkConnectivity
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.000000000055F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeU
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                                      Source: build.exe, 00000002.00000002.2170916987.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167695116.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.000000000055F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 Stepping 8, Genuinev
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.000000000055F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga.exeneDrive%
                                      Source: build.exe, 00000002.00000002.2181998736.0000000007279000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: od_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                      Source: Eclipse.exe.0.drBinary or memory string: If (manufacturer = "microsoft corporation" AndAlso item("Model").ToString().ToUpperInvariant().Contains("VIRTUAL")) OrElse manufacturer.Contains("vmware") OrElse item("Model").ToString() = "VirtualBox" Then
                                      Source: Eclipse.exe, 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, Eclipse.exe, 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, Eclipse.exe, 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, Eclipse.exe.0.drBinary or memory string: Public Shared Function DetectVirtualMachine() As Boolean
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Local\Temprosoft\Windows\Start%20Menu\Programs\Startup\qemu-ga.exewQ{_
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: \qemu-ga.exe0
                                      Source: qemu-ga.exe, 0000000A.00000002.3192743549.0000000002D21000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3191753203.00000000021B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qemu-ga.exe.config
                                      Source: build.exe, 00000002.00000003.2167944675.0000000007278000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181998736.0000000007279000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3190800898.0000000001063000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3189632231.0000000000B7A000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000002.3190800898.000000000108F000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000000.2167244123.0000000000A32000.00000002.00000001.01000000.0000000A.sdmp, qemu-ga.exe, 0000000B.00000002.3189555797.000000000019A000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga.exe
                                      Source: build.exe, 00000002.00000003.2167944675.0000000007278000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181998736.0000000007279000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu$
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe:\P
                                      Source: build.exe, 00000002.00000002.2170916987.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167695116.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" ?A
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exexq8
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.000000000055F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ']qemu-ga.exeIx
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exet
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $dqXC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000000.2167244123.0000000000A32000.00000002.00000001.01000000.0000000A.sdmp, qemu-ga.exe, 0000000A.00000002.3193236273.00007FFD9B9B4000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3192529967.00007FFD9B994000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe.2.drBinary or memory string: qemu-ga
                                      Source: Eclipse.exe.0.drBinary or memory string: If (manufacturer = "microsoft corporation" AndAlso item("Model").ToString().ToUpperInvariant().Contains("VIRTUAL")) OrElse manufacturer.Contains("vmware") OrElse item("Model").ToString() = "VirtualBox" Then
                                      Source: build.exe, 00000002.00000003.2167516937.00000000058CA000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167944675.0000000007278000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181998736.0000000007279000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2178030788.00000000058CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: A=qemu-ga.exe
                                      Source: build.exe, 00000002.00000003.2167944675.0000000007278000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181998736.0000000007279000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga.exeH
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exevg
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file//C:UsersuserAppDataRoamingMicrosoftWindowsStart%20MenuProgramsStartupqemu-ga.exe
                                      Source: build.exe, 00000002.00000002.2178030788.00000000058CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y{
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWinsta0\Default
                                      Source: build.exe, 00000002.00000002.2177974978.0000000005887000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Registry\Machine\Software\Classes\Applications\qemu-ga.exe
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: QQp']qemu-ga.exe
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/qemu-ga.exee
                                      Source: build.exe, 00000002.00000003.2167630358.0000000007291000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2182091271.0000000007294000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeyJyXd
                                      Source: qemu-ga.exe, 0000000B.00000002.3191255636.00000000007E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ~C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000000FFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeles;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Us
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga.exeJc
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.00000000005B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rtup\qemu-ga.exe.config
                                      Source: build.exe, 00000002.00000003.2167944675.0000000007278000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181998736.0000000007279000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu$
                                      Source: build.exe, 00000002.00000002.2169612865.0000000000DC0000.00000004.00000020.00040000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeen-GBenen-USMyApplication.app
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exex
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exexq
                                      Source: qemu-ga.exe, 0000000A.00000002.3190800898.0000000001063000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga@
                                      Source: qemu-ga.exe, 0000000B.00000002.3189975825.000000000055F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \user\Ata\Localrosoft\C4.0\Usags\qemu-ge.log
                                      Source: build.exe, 00000002.00000002.2177714252.0000000005820000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qemu-ga.exeqemu-ga.exe
                                      Source: build.exe, 00000002.00000002.2177714252.0000000005820000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                      Source: build.exe, 00000002.00000002.2178030788.00000000058CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                      Source: build.exe, 00000002.00000003.2168345063.0000000007261000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2181950526.0000000007264000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exexe
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 0000000A.00000000.2167244123.0000000000A32000.00000002.00000001.01000000.0000000A.sdmp, qemu-ga.exe.2.drBinary or memory string: <Module>qemu-gamscorlibThreadConsoleReadLineDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeqemu-ga.exeSystem.ThreadingSystem.Runtime.VersioningProgramSystemMainSystem.ReflectionSleep.ctorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesDebuggingModesargsObject
                                      Source: dialer.exe, 00000008.00000003.2015207102.0000000005540000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: DisableGuestVmNetworkConnectivity
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exef}
                                      Source: build.exe, 00000002.00000002.2170916987.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167695116.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe
                                      Source: build.exe, 00000002.00000002.2170916987.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.0000000001505000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2167695116.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe?c
                                      Source: build.exe, 00000002.00000003.2167695116.00000000014E3000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168473745.00000000014F9000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000003.2168048034.00000000014E6000.00000004.00000020.00020000.00000000.sdmp, build.exe, 00000002.00000002.2170916987.00000000014FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeX
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess information queried: ProcessInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_0020FD93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0020FD93
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_00202F90 VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,lstrlenW,CreateThread,Sleep,WaitForSingleObject,2_2_00202F90
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_00202F90 mov eax, dword ptr fs:[00000030h]2_2_00202F90
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_3_00E00277 mov eax, dword ptr fs:[00000030h]5_3_00E00277
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 5_2_00E00277 mov eax, dword ptr fs:[00000030h]5_2_00E00277
                                      Source: C:\Windows\SysWOW64\dialer.exeCode function: 8_3_02EC027F mov eax, dword ptr fs:[00000030h]8_3_02EC027F
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_00217D34 GetProcessHeap,2_2_00217D34
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess token adjusted: DebugJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_0020992D SetUnhandledExceptionFilter,2_2_0020992D
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_00209B5D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00209B5D
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_0020FD93 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0020FD93
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_002097CE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_002097CE
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeMemory allocated: page read and write | page guardJump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeProcess created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe" Jump to behavior
                                      Source: C:\Users\user\Desktop\Eclipse.exeProcess created: C:\Users\user\AppData\Local\Temp\Eclipse.exe "C:\Users\user\AppData\Local\Temp\Eclipse.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\Eclipse.exeProcess created: C:\Users\user\AppData\Local\Temp\main.exe "C:\Users\user\AppData\Local\Temp\main.exe" Jump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\main.exeProcess created: C:\Windows\SysWOW64\dialer.exe C:\Windows\system32\dialer.exeJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_002095EA cpuid 2_2_002095EA
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: GetLocaleInfoW,2_2_0021A8A7
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_0021A97D
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: EnumSystemLocalesW,2_2_0021A2B2
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: EnumSystemLocalesW,2_2_0021A2B4
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: EnumSystemLocalesW,2_2_0021A2FF
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: GetLocaleInfoW,2_2_00217ADD
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: EnumSystemLocalesW,2_2_0021A39A
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_0021A425
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: EnumSystemLocalesW,2_2_002175B1
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: GetLocaleInfoW,2_2_0021A678
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_0021A7A1
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe VolumeInformationJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeCode function: 2_2_002099E8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,2_2_002099E8
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                      Lowering of HIPS / PFW / Operating System Security Settings

                                      barindex
                                      Yara detected AsyncRAT
                                      Source: Yara matchFile source: Eclipse.exe, type: SAMPLE
                                      Source: Yara matchFile source: 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1972454739.00000000050A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000000.1954302368.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000000.1938310489.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6356, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6808, type: MEMORYSTR
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Eclipse.exe, type: DROPPED
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OllyDbg.exe
                                      Source: dialer.exe, 00000008.00000002.2046996459.0000000002F30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: regmon.exe
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                                      Stealing of Sensitive Information

                                      barindex
                                      Yara detected PureLog Stealer
                                      Source: Yara matchFile source: 2.2.build.exe.11d0000.2.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.build.exe.10afae4.1.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.build.exe.10afae4.1.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000002.00000002.2169800536.00000000011D2000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000002.00000002.2169700246.00000000010AE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                      Yara detected RHADAMANTHYS Stealer
                                      Source: Yara matchFile source: 00000008.00000002.2047567066.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000005.00000003.2002178489.00000000013E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000005.00000003.2011303057.0000000004000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000008.00000003.2011512500.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Yara detected RedLine Stealer
                                      Source: Yara matchFile source: dump.pcap, type: PCAP
                                      Source: Yara matchFile source: 2.2.build.exe.11d0000.2.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.build.exe.10afae4.1.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.build.exe.10afae4.1.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000002.00000002.2169800536.00000000011D2000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000002.00000002.2169700246.00000000010AE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: build.exe PID: 6616, type: MEMORYSTR
                                      Yara detected XWorm
                                      Source: Yara matchFile source: Eclipse.exe, type: SAMPLE
                                      Source: Yara matchFile source: 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1972454739.00000000050A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000000.1954302368.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000000.1938310489.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6356, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6808, type: MEMORYSTR
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Eclipse.exe, type: DROPPED
                                      Yara detected zgRAT
                                      Source: Yara matchFile source: 2.2.build.exe.11d0000.2.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.build.exe.10afae4.1.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.build.exe.10afae4.1.raw.unpack, type: UNPACKEDPE
                                      Found many strings related to Crypto-Wallets (likely being stolen)
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: hieplnfojfccegoloniefimmbfjdgcgp|Electrum
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: mhonjhhcgphdphdjcdoeodfdliikapmj|Jaxx Liberty
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: idkppnahnmmggbmfkjhiakkbkdpnmnon|Exodus
                                      Source: build.exe, 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                                      Source: build.exe, 00000002.00000002.2169800536.00000000011D2000.00000020.00001000.00020000.00000000.sdmpString found in binary or memory: set_UseMachineKeyStore
                                      Tries to harvest and steal browser information (history, passwords, etc)
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension CookiesJump to behavior
                                      Source: C:\Users\user\AppData\Local\Temp\build.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                                      Source: Yara matchFile source: 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: build.exe PID: 6616, type: MEMORYSTR

                                      Remote Access Functionality

                                      barindex
                                      Yara detected PureLog Stealer
                                      Source: Yara matchFile source: 2.2.build.exe.11d0000.2.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.build.exe.10afae4.1.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.build.exe.10afae4.1.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000002.00000002.2169800536.00000000011D2000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000002.00000002.2169700246.00000000010AE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                      Yara detected RHADAMANTHYS Stealer
                                      Source: Yara matchFile source: 00000008.00000002.2047567066.0000000004A80000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000005.00000003.2002178489.00000000013E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000005.00000003.2011303057.0000000004000000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000008.00000003.2011512500.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Yara detected RedLine Stealer
                                      Source: Yara matchFile source: dump.pcap, type: PCAP
                                      Source: Yara matchFile source: 2.2.build.exe.11d0000.2.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.build.exe.10afae4.1.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.build.exe.10afae4.1.raw.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 00000002.00000002.2169800536.00000000011D2000.00000020.00001000.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000002.00000002.2172010947.00000000031CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000002.00000002.2169700246.00000000010AE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: build.exe PID: 6616, type: MEMORYSTR
                                      Yara detected XWorm
                                      Source: Yara matchFile source: Eclipse.exe, type: SAMPLE
                                      Source: Yara matchFile source: 00000000.00000003.1957687746.0000000004508000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000003.1957976057.000000000357E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1962250742.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000002.1972454739.00000000050A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000002.1968839571.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000004.00000000.1954302368.0000000000C57000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                                      Source: Yara matchFile source: 00000000.00000000.1938310489.0000000000CDD000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6356, type: MEMORYSTR
                                      Source: Yara matchFile source: Process Memory Space: Eclipse.exe PID: 6808, type: MEMORYSTR
                                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Eclipse.exe, type: DROPPED
                                      Yara detected zgRAT
                                      Source: Yara matchFile source: 2.2.build.exe.11d0000.2.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.build.exe.10afae4.1.unpack, type: UNPACKEDPE
                                      Source: Yara matchFile source: 2.2.build.exe.10afae4.1.raw.unpack, type: UNPACKEDPE

                                      Mitre Att&ck Matrix

                                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
                                      Windows Management Instrumentation                                      		1
                                      DLL Side-Loading                                      		1
                                      DLL Side-Loading                                      		1
                                      Disable or Modify Tools                                      		1
                                      OS Credential Dumping                                      		1
                                      System Time Discovery                                      		Remote Services11
                                      Archive Collected Data                                      		1
                                      Encrypted Channel                                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                      CredentialsDomainsDefault Accounts11
                                      Native API                                      		1
                                      Scheduled Task/Job                                      		11
                                      Process Injection                                      		11
                                      Deobfuscate/Decode Files or Information                                      		21
                                      Input Capture                                      		2
                                      File and Directory Discovery                                      		Remote Desktop Protocol2
                                      Data from Local System                                      		1
                                      Non-Standard Port                                      		Exfiltration Over BluetoothNetwork Denial of Service
                                      Email AddressesDNS ServerDomain Accounts3
                                      Command and Scripting Interpreter                                      		12
                                      Registry Run Keys / Startup Folder                                      		1
                                      Scheduled Task/Job                                      		12
                                      Obfuscated Files or Information                                      		Security Account Manager154
                                      System Information Discovery                                      		SMB/Windows Admin Shares21
                                      Input Capture                                      		1
                                      Application Layer Protocol                                      		Automated ExfiltrationData Encrypted for Impact
                                      Employee NamesVirtual Private ServerLocal Accounts1
                                      Scheduled Task/Job                                      		Login Hook12
                                      Registry Run Keys / Startup Folder                                      		1
                                      Software Packing                                      		NTDS561
                                      Security Software Discovery                                      		Distributed Component Object Model1
                                      Clipboard Data                                      		Protocol ImpersonationTraffic DuplicationData Destruction
                                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                                      Timestomp                                      		LSA Secrets1
                                      Process Discovery                                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                      DLL Side-Loading                                      		Cached Domain Credentials251
                                      Virtualization/Sandbox Evasion                                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                                      Masquerading                                      		DCSync1
                                      Application Window Discovery                                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job251
                                      Virtualization/Sandbox Evasion                                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                                      Process Injection                                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                      Behavior Graph

                                      Hide Legend

                                      Legend:

                                      • Process
                                      • Signature
                                      • Created File
                                      • DNS/IP Info
                                      • Is Dropped
                                      • Is Windows Process
                                      • Number of created Registry Values
                                      • Number of created Files
                                      • Visual Basic
                                      • Delphi
                                      • Java
                                      • .Net C# or VB.NET
                                      • C, C++ or other language
                                      • Is malicious
                                      • Internet
                                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1387875 Sample: Eclipse.exe Startdate: 06/02/2024 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic 2->51 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 18 other signatures 2->57 8 Eclipse.exe 3 2->8         started        12 qemu-ga.exe 2->12         started        process3 file4 31 C:\Users\user\AppData\Local\Temp\build.exe, Unknown 8->31 dropped 33 C:\Users\user\AppData\Local\...clipse.exe, Unknown 8->33 dropped 65 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->65 14 build.exe 7 8->14         started        19 Eclipse.exe 2 8->19         started        signatures5 process6 dnsIp7 39 45.15.156.127, 23000, 49732 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 14->39 35 C:\Users\user\AppData\Roaming\...\qemu-ga.exe, PE32 14->35 dropped 41 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 14->41 43 Machine Learning detection for dropped file 14->43 45 Found many strings related to Crypto-Wallets (likely being stolen) 14->45 49 4 other signatures 14->49 21 qemu-ga.exe 14->21         started        24 conhost.exe 14->24         started        37 C:\Users\user\AppData\Local\Temp\main.exe, PE32 19->37 dropped 47 Antivirus detection for dropped file 19->47 26 main.exe 1 19->26         started        file8 signatures9 process10 signatures11 59 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->59 61 Antivirus detection for dropped file 26->61 63 Multi AV Scanner detection for dropped file 26->63 28 dialer.exe 26->28         started        process12 signatures13 67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->67 69 Checks if the current machine is a virtual machine (disk enumeration) 28->69

                                      Screenshots

                                      Thumbnails

                                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.