Edit tour

Windows Analysis Report
driver.exe

Overview

General Information

Sample name:	driver.exe
Analysis ID:	1398936
MD5:	80b60930bd4a6f65f57f3a2f40ccc6f7
SHA1:	6e051562e7a4288bce0c1c8c86ac377d39be9bbd
SHA256:	c2a05b1464bf42096ffe1740fa927abfbb513ded47ead9b2133c28ce834363c3
Tags:	exe
Infos:

Detection

RedLine

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Yara detected RedLine Stealer

.NET source code contains very large array initializations

Drops PE files to the startup folder

Machine Learning detection for sample

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates a window with clipboard capturing capabilities

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Stores files to the Windows start menu directory

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

driver.exe (PID: 6428 cmdline: C:\Users\user\Desktop\driver.exe MD5: 80B60930BD4A6F65F57F3A2F40CCC6F7)

conhost.exe (PID: 2968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

qemu-ga.exe (PID: 7768 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" MD5: A5CE3ABA68BDB438E98B1D0C70A3D95C)

OpenWith.exe (PID: 5664 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

qemu-ga.exe (PID: 7864 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" MD5: A5CE3ABA68BDB438E98B1D0C70A3D95C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_RedLine_1	Yara detected RedLine Stealer	Joe Security
dump.pcap	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: driver.exe PID: 6428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: driver.exe PID: 6428	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\driver.exe, ProcessId: 6428, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Snort Signatures

ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) - Source IP: 192.168.2.5 - Destination IP: 45.15.156.127

Timestamp:	02/26/24-17:40:39.270866
SID:	2046045
Source Port:	49736
Destination Port:	23000
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) - Source IP: 45.15.156.127 - Destination IP: 192.168.2.5

Timestamp:	02/26/24-17:40:40.476023
SID:	2046056
Source Port:	23000
Destination Port:	49736
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: driver.exe

Avira: detected

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

ReversingLabs: Detection: 41%

Machine Learning detection for sample

Source: driver.exe

Joe Sandbox ML: detected

Source: driver.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: driver.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00CDB1B5 FindFirstFileExW,

0_2_00CDB1B5

Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2046045 ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) 192.168.2.5:49736 -> 45.15.156.127:23000
Source: Traffic	Snort IDS: 2046056 ET TROJAN Redline Stealer/MetaStealer Family Activity (Response) 45.15.156.127:23000 -> 192.168.2.5:49736

Source: global traffic

TCP traffic: 192.168.2.5:49736 -> 45.15.156.127:23000

Source: Joe Sandbox View

IP Address: 45.15.156.127 45.15.156.127

Source: Joe Sandbox View

ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.127

Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cq3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: driver.exe, 00000000.00000002.2412813228.0000000002C19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cqqC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: driver.exe, 00000000.00000002.2412813228.0000000002C19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cqqC:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\j equals www.youtube.com (Youtube)
Source: driver.exe, 00000000.00000002.2412813228.000000000281F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cqrC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: driver.exe, 00000000.00000002.2412813228.000000000281F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cqrC:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\j equals www.youtube.com (Youtube)
Source: driver.exe, 00000000.00000002.2410417036.0000000000821000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: driver.exe, 00000000.00000002.2410417036.0000000000821000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: driver.exe, 00000000.00000003.2407882204.00000000079A0000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2427041116.00000000079A2000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2407781130.00000000079A0000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2408090789.00000000079A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oen
Source: driver.exe, 00000000.00000003.2334217727.0000000007991000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://purl.oenM
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmd
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/D
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject1
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject1Response
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject1ResponseD
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject2
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject2Response
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject2ResponseD
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject3
Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject3Response
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tempuri.org/RestAPI/TreeObject3ResponseD
Source: driver.exe, 00000000.00000002.2412813228.000000000287B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\Desktop\driver.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary

.NET source code contains very large array initializations

Source: 0.2.driver.exe.131680.0.raw.unpack, Strings.cs

Large array initialization: Strings: array initializer size 6160

Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00CE4000	0_2_00CE4000
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00CEB540	0_2_00CEB540
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00CE25A1	0_2_00CE25A1
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_0253E988	0_2_0253E988
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_06A10040	0_2_06A10040
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_06A10FA8	0_2_06A10FA8

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe 9B860BE98A046EA97A7F67B006E0B1BC9AB7731DD2A0F3A9FD3D710F6C43278A

Source: C:\Users\user\Desktop\driver.exe

Code function: String function: 00CD6A40 appears 33 times

Source: driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs driver.exe
Source: driver.exe, 00000000.00000002.2410623396.0000000000BE6000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaveats.exe" vs driver.exe
Source: driver.exe, 00000000.00000002.2408752089.00000000001B5000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaveats.exe" vs driver.exe
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqemu-ga.exe0 vs driver.exe
Source: driver.exe, 00000000.00000002.2409925365.000000000076E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs driver.exe
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameqemu-ga.exe0 vs driver.exe

Source: C:\Users\user\Desktop\driver.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior

Source: driver.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.driver.exe.131680.0.raw.unpack, PBE.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.driver.exe.131680.0.raw.unpack, Strings.cs	Cryptographic APIs: 'CreateDecryptor'

Source: classification engine

Classification label: mal100.troj.adwa.spyw.evad.winEXE@6/2@0/1

Source: C:\Users\user\Desktop\driver.exe

File created: C:\Users\user\AppData\Local\Microsoft\Wind?ws

Jump to behavior

Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2968:120:WilError_03

Source: C:\Users\user\Desktop\driver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\driver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\Desktop\driver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\Desktop\driver.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process

Source: C:\Users\user\Desktop\driver.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\driver.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: driver.exe, 00000000.00000003.2376801570.0000000002F69000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2376801570.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2376801570.0000000002EC3000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2376801570.0000000002F53000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2376801570.0000000002E49000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2376801570.0000000002E33000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: unknown	Process created: C:\Users\user\Desktop\driver.exe C:\Users\user\Desktop\driver.exe
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
Source: C:\Users\user\Desktop\driver.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"	Jump to behavior

Source: C:\Users\user\Desktop\driver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D68AF00A-29CB-43FA-8504-CE99A996D9EA}\InprocServer32

Jump to behavior

Source: driver.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: driver.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: qemu-ga.exe.0.dr

Static PE information: 0x845C0092 [Mon May 14 15:26:10 2040 UTC]

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00CE4000 VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,lstrlenW,CreateThread,Sleep,WaitForSingleObject,

0_2_00CE4000

Source: driver.exe	Static PE information: real checksum: 0xb9eb4 should be: 0xc34e5
Source: qemu-ga.exe.0.dr	Static PE information: real checksum: 0x0 should be: 0x2e82

Source: driver.exe

Static PE information: section name: .xobzu

Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00CEB540 push eax; ret	0_2_00CF0DB8
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00CE2CD4 push ecx; ret	0_2_00CE2CE7
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_0253117F pushfd ; iretd	0_2_02531187
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Code function: 7_2_00007FF8483E00BD pushad ; iretd	7_2_00007FF8483E00C1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Code function: 9_2_00007FF8483D00BD pushad ; iretd	9_2_00007FF8483D00C1

Source: 0.2.driver.exe.131680.0.raw.unpack, AesFastEngine.cs	High entropy of concatenated method names: 'LZuGUTwoDJ', 'EMHGJWXo0P', 'HgmGwk9HSp', 'w21GFJHoUr', 'hxhG2KYGSB', 'Init', 'GetBlockSize', 'ProcessBlock', 'Reset', 'uXLGLGZwCa'
Source: 0.2.driver.exe.131680.0.raw.unpack, SchemaReaderSql.cs	High entropy of concatenated method names: 'XxcEd9NdfR', 'sO1cKVMtonfcxVWpdhC', 'kkLNPvM1B5vb6ma8ne2', 'vlD8GEMIUSYFmvHn3bd', 'GatherValue', 'Qn95ksv5E', 'ReadContextTable', 'qgRxVUE6v', 'ReadContextValue', 'SY5PPDBsQ'
Source: 0.2.driver.exe.131680.0.raw.unpack, PBE.cs	High entropy of concatenated method names: 'X3Gnt3ww81', 'SWwnUpri28', 'n9enwYPhaU', 'E4Hn2mYbWi', 'WTYnKCOPDt', 'Compute', 'Vt2FJXr8FYphxmknLRf', 'ujTIm4rz7GVBnu65L4N', 'QoboIoTC5wXSwm6wiGf', 'Dbs8MtTG9Kix385XcOr'
Source: 0.2.driver.exe.131680.0.raw.unpack, Extembus.cs	High entropy of concatenated method names: 'RF', 'RFAT', 'FindFileHandle', 'ReadLockedFile', 'yxX86w6eY5emfqxZqdN', 'klVsrg66Ib3ocFpwyKB', 'gGVUJZ6ELkNYvd7rruP', 'JGLW4b6WK3vgF1kG4I1', 'JAe0Jo6vRjaOGgm2MeQ', 'I0qR6j6QHuRbSHiPf4u'
Source: 0.2.driver.exe.131680.0.raw.unpack, Schema19.cs	High entropy of concatenated method names: 'TreeObject1', 'TreeObject2', 'TreeObject3', 'eRDIHgWFPpp2SVVHhrU', 'qyvE55W2KrAEuRumQGe', 'nqFhgjWL34Po5xjRaw6', 'rlnBZhWKdbHYyfagwO0', 'tMZCSUWp560Mc9SkOCn', 'nWOw83WJ5EcQmTKBrIj', 'i46kjFWwcelVf1KJJEo'
Source: 0.2.driver.exe.131680.0.raw.unpack, Strings.cs	High entropy of concatenated method names: 'Init', 'Decrypt', 'Get', 'uRf3VDQtSPotvPXZV0M', 'mDRxosQNS7OT3mQLKO1', 'WsN85lQ1aBvhi8fwYia', 'MJlhUhQIncaNZwZZEql', 'uIGoZlQUPXPuJ1s11fn', 'MpWKDXQJ50V8iSVxPm3', 'VLyEA0QwBmukpgGLqho'
Source: 0.2.driver.exe.131680.0.raw.unpack, IPv4Helper.cs	High entropy of concatenated method names: 'pc3EmuSmJT', 'FifEbXdbyp', 'lIMkFWZO4ljHTJrgD2c', 'OvUJ29ZuWVqU8382eyO', 'MpWpuWZhRsMyQRlKhmL', 'PgUS8JLw6Z', 'GetDefaultIPv4Address', 'odeSzbnEyt', 'BBZE22vK8OjFvkXCb5N', 'EKvM4qvpFPOd8y29ods'
Source: 0.2.driver.exe.131680.0.raw.unpack, GetProcessHandles.cs	High entropy of concatenated method names: 'ReleaseHandle', 'E26SWBZH0Hc8t6HLnmJ', 'tuJGUsZf9NwHnWtP33N', 'ReleaseHandle', 'hxNUAeZEshk4MjIZrGi', 'jtCI3LZWjyF3uetlK8m', 'lC2mZ2Zepvl3sydB5yd', 'xIdE008A1g', 'RDkRhbZvoaQtPJrSkhy', 'C4Cr2hZQMA7Bor4bC16'
Source: 0.2.driver.exe.131680.0.raw.unpack, PM.cs	High entropy of concatenated method names: 'qWcfTa0imU', 'EPlfMlw2EN', 'MexfZHcBCK', 'acSfdloZJC', 'mOvfOS4YIu', 'Mf5fuGlqoZ', 'yZCfhqBlhi', 'k2x4aYTUmKm9TGd74PX', 'JPkGfiTtnJphySbOTZW', 'N1Va7pTN0NxEfs14USL'
Source: 0.2.driver.exe.131680.0.raw.unpack, BerkeleyDB.cs	High entropy of concatenated method names: 'oOwJF4pFM', 'iJZKfS63f24WUWFc5L8', 'lqSt4f69gsXpyLs1DoG', 'NSUWto6lkwfNHyPDhfV', 'xN56Wu6kaPbrHwogvWH', 'RYcNne64mJobYBi3bRq', 'fWUsPF6iTgqeXlSVXZE', 'MpBscq6j6CcyVn6FfHj'
Source: 0.2.driver.exe.131680.0.raw.unpack, Schema20.cs	High entropy of concatenated method names: 'chvfypRTJP', 'hQBf16rYSg', 'jwrfITugUC', 'z1PftuJFCc', 'xlQfNNtKYS', 'uOnfUd5OE1', 'BsifJfpsPM', 'MkQvM3TbB228VnK0NNk', 'TreeObject1', 'xCkOPYB9A'
Source: 0.2.driver.exe.131680.0.raw.unpack, OLVvf1SukJPGskp4qTJ.cs	High entropy of concatenated method names: 'zaNSiVQ6al', 'muPS3k4Kyn', 'gbqSlkZR3A', 'lNdS4EpNyZ', 'ylASsrhVIl', 'P8mS58MSUS', 'IbfSh0rTT4', 'lVHSD1DsTS', 'dubSBwifAv', 'E6JSAOuqmo'
Source: 0.2.driver.exe.131680.0.raw.unpack, qLNPDb7p2bQ4AtnuyT.cs	High entropy of concatenated method names: 'XPlmwGDeN', 'koxbw28Qe', 'iofYg8MI3', 'mAV8YtsJm', 'WKLz4Ioo7', 'VaFGCswaii', 'xb5GGZxWTf', 'aooGSK8fGI', 'BSnGncatRX', 'vEQGHvADGp'

Source: C:\Users\user\Desktop\driver.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Jump to dropped file

Boot Survival

Drops PE files to the startup folder

Source: C:\Users\user\Desktop\driver.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Jump to dropped file

Source: C:\Users\user\Desktop\driver.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Jump to behavior

Source: C:\Users\user\Desktop\driver.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Jump to behavior

Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\driver.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\driver.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEC
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEEL
Source: driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXED
Source: driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEA
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXER(
Source: qemu-ga.exe, 00000007.00000002.3451324423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3451000317.0000000003211000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXEE
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEGONS
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START MENU/PROGRAMS/STARTUP/QEMU-GA.EXE.CONFIGG
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXET
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEH
Source: driver.exe, 00000000.00000002.2410417036.0000000000821000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEE
Source: qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEF
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIGZ7
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $CQYC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE@\CQ
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0\USAGELOGS\QEMU-GA.EXE.LOG
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXERING=INTERNET EXPLORERFPS_BROWSER_USER_PROFILE_STRING=DEFAULTHOMEDRIVE=C:HOMEPATH=\USERS\userLOCALAPPDATA=C:\USERS\user\APPDATA\LOCALLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2ONEDRIVE=C:\USERS\user\ONEDRIVEOS=WINDOWS_NTPATH=C:\PROGRAM FILES (X86)\COMMON FILES\ORACLE\JAVA\JAVAPATH;C:\WINDOWS\SYSTEM32;C:\WINDOWS;C:\WINDOWSG7
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE:
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIGA7
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE" C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEWINSTA0\DEFAULTX7
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEW
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3448924285.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"
Source: driver.exe, 00000000.00000002.2424787416.0000000006963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\DESKTOP\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE
Source: driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXEQEMU-GA.EXE
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE:ZONE.IDENTIFIERYD
Source: driver.exe, 00000000.00000002.2425509068.00000000071A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \REGISTRY\MACHINE\SOFTWARE\CLASSES\APPLICATIONS\QEMU-GA.EXE
Source: driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE!
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START MENU/PROGRAMS/STARTUP/QEMU-GA.EXE.CONFIG
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE.CONFIG
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE}
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START%20MENU\PROGRAMS\STARTUP\QEMU-GA.EXEV
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE'
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\LOCALC:\USERS\user\APPDATA\LOCAL\MICROSOFT\CLR_V4.0\USAGELOGS\QEMU-GA.EXE.LOG
Source: qemu-ga.exe, 00000007.00000002.3451324423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3451000317.0000000003211000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXE2
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXEN
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIGM
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START MENU/PROGRAMS/STARTUP/QEMU-GA.EXEIGY7
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE/
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $CQYC:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIGE
Source: driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE8
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIGG
Source: qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMDEBUGLOG_QEMU-GA.EXE_7768.TXT L
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: userAPPDATAROAMINGMICROSOFTWINDOWSSTART%20MENUPROGRAMSSTARTUPQEMU-GA.EXE
Source: driver.exe, 00000000.00000002.2425509068.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2409925365.00000000007EA000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420402313.0000000004D80000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2409925365.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2426725873.0000000007283000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2409925365.000000000076E000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3448198204.00000000010FA000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000000.2407186825.0000000000D82000.00000002.00000001.01000000.0000000E.sdmp, qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXE
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXEN@%
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE:ZONE.IDENTIFIERY
Source: qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\TEMP\ASLLOG_APPHELPDEBUG_QEMU-GA.EXE_7768.TXT P
Source: qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\TEMP\ASLLOG_SHIMENGSTATE_QEMU-GA.EXE_7768.TXT
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIGX7
Source: driver.exe, 00000000.00000002.2425509068.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2409925365.00000000007EA000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420402313.0000000004D80000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2426725873.0000000007283000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2409925365.000000000076E000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXEH
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE0\MODULES;C:\PROGRAM FILES (X86)\AUTOIT3\AUTOITXPUBLIC=C:\USERS\PUBLICSESSIONNAME=CONSOLESYSTEMDRIVE=C:SYSTEMROOT=C:\WINDOWSTEMP=C:\USERS\user\APPDATA\LOCAL\TEMPTA
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000000.2407230924.0000000000D84000.00000002.00000001.01000000.0000000E.sdmp, qemu-ga.exe.0.dr	Binary or memory string: ORIGINALFILENAMEQEMU-GA.EXE0
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEY2
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXEQEMU-GA.EXEOWS 10 PRO\|C:\WINDOWS\|\DEVICE\HARDDISK0\PARTITION320240226161043.462189+060C:\WINDOWS\EXPLORER.EXEC:\WINDOWS\EXPLORER.EXEP3
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:USERSuserAPPDATAROAMINGMICROSOFTWINDOWSSTART%20MENUPROGRAMSSTARTUPQEMU-GA.EXE.CONFIG!
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000000.2407230924.0000000000D84000.00000002.00000001.01000000.0000000E.sdmp, qemu-ga.exe.0.dr	Binary or memory string: INTERNALNAMEQEMU-GA.EXEH
Source: driver.exe, 00000000.00000002.2426725873.0000000007292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE_
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIG
Source: driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEA7-C
Source: qemu-ga.exe, 00000007.00000002.3451324423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3451000317.0000000003211000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QEMU-GA.EXE.CONFIG
Source: qemu-ga.exe, 00000007.00000002.3451324423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3451000317.0000000003211000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: `C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIG`_
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `POSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
Source: driver.exe, 00000000.00000002.2425509068.00000000071A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \REGISTRY\MACHINE\SOFTWARE\CLASSES\APPLICATIONS\QEMU-GA.EXEOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START MENU/PROGRAMS/STARTUP/QEMU-GA.EXEE
Source: driver.exe, 00000000.00000002.2409029084.0000000000410000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE\??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEEN-GBENEN-USMYAPPLICATION.APP
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE0
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3448198204.00000000010FA000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3450183788.00000000013A0000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3448639732.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3448201010.000000000131A000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3448924285.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3450587378.00000000017A0000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
Source: driver.exe, 00000000.00000002.2424787416.0000000006963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEWINSTA0\DEFAULT
Source: driver.exe, 00000000.00000002.2426725873.0000000007292000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FILE:///C:/USERS/user/APPDATA/ROAMING/MICROSOFT/WINDOWS/START%20MENU/PROGRAMS/STARTUP/QEMU-GA.EXE
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE}2
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEX7
Source: qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\USERS\user\DESKTOP\C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE"C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE" C:\USERS\user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXEWINSTA0\DEFAULTE
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: S/START MENU/PROGRAMS/STARTUP/QEMU-GA.EXE.CONFIGGUU9@P
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000000.2407186825.0000000000D82000.00000002.00000001.01000000.0000000E.sdmp, qemu-ga.exe.0.dr	Binary or memory string: <MODULE>QEMU-GAMSCORLIBTHREADCONSOLEREADLINEDEBUGGABLEATTRIBUTECOMVISIBLEATTRIBUTEASSEMBLYTITLEATTRIBUTEASSEMBLYTRADEMARKATTRIBUTETARGETFRAMEWORKATTRIBUTEASSEMBLYFILEVERSIONATTRIBUTEASSEMBLYCONFIGURATIONATTRIBUTEASSEMBLYDESCRIPTIONATTRIBUTECOMPILATIONRELAXATIONSATTRIBUTEASSEMBLYPRODUCTATTRIBUTEASSEMBLYCOPYRIGHTATTRIBUTEASSEMBLYCOMPANYATTRIBUTERUNTIMECOMPATIBILITYATTRIBUTEQEMU-GA.EXESYSTEM.THREADINGSYSTEM.RUNTIME.VERSIONINGPROGRAMSYSTEMMAINSYSTEM.REFLECTIONSLEEP.CTORSYSTEM.DIAGNOSTICSSYSTEM.RUNTIME.INTEROPSERVICESSYSTEM.RUNTIME.COMPILERSERVICESDEBUGGINGMODESARGSOBJECT
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\QEMU-GA.EXE.CONFIG

Source: C:\Users\user\Desktop\driver.exe	Memory allocated: C90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Memory allocated: 2670000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Memory allocated: 2550000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Memory allocated: 16D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Memory allocated: 1B060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Memory allocated: 1700000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Memory allocated: 1B210000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\driver.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\driver.exe	Window / User API: threadDelayed 1657	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Window / User API: threadDelayed 4326	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Window / User API: threadDelayed 1929	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Window / User API: threadDelayed 8070	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Window / User API: threadDelayed 8915	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Window / User API: threadDelayed 1083	Jump to behavior

Source: C:\Users\user\Desktop\driver.exe

API coverage: 6.7 %

Source: C:\Users\user\Desktop\driver.exe TID: 7616	Thread sleep time: -12912720851596678s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe TID: 7192	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 7772	Thread sleep count: 1929 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 7772	Thread sleep time: -192900000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 7772	Thread sleep count: 8070 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 7772	Thread sleep time: -807000000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 7868	Thread sleep count: 8915 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 7868	Thread sleep time: -891500000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 7868	Thread sleep count: 1083 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe TID: 7868	Thread sleep time: -108300000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\driver.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00CDB1B5 FindFirstFileExW,

0_2_00CDB1B5

Source: C:\Users\user\Desktop\driver.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Thread delayed: delay time: 100000	Jump to behavior

Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\	Jump to behavior

Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe:Zone.IdentifieryD
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:/Users/user/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/qemu-ga.exe.configg
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exeqemu-ga.exeows 10 Pro\|C:\Windows\|\Device\Harddisk0\Partition320240226161043.462189+060C:\Windows\Explorer.EXEC:\Windows\Explorer.EXEp3
Source: qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_shimengstate_qemu-ga.exe_7768.txt
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe0
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000000.2407230924.0000000000D84000.00000002.00000001.01000000.0000000E.sdmp, qemu-ga.exe.0.dr	Binary or memory string: ProductNameqemu-ga4
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.config
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: driver.exe, 00000000.00000002.2426725873.0000000007292000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe:Zone.Identifiery
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3448924285.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeGONS
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeY2
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.config
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cqYC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: driver.exe, 00000000.00000002.2424787416.0000000006963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWinsta0\Default
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/qemu-ga.exeigy7
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemuP<
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe:
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exen@%
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000000.2407230924.0000000000D84000.00000002.00000001.01000000.0000000E.sdmp, qemu-ga.exe.0.dr	Binary or memory string: InternalNameqemu-ga.exeH
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Windows\assembly\NativeImages_v4.0.30319_64\qemu-ga\*
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.configz7
Source: qemu-ga.exe, 00000007.00000002.3451324423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3451000317.0000000003211000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exe2
Source: driver.exe, 00000000.00000002.2424787416.0000000006963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s/Start Menu/Programs/Startup/qemu-ga.exe.configgUU9@P
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sers\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qemu-h
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: qemu-ga.exe, 00000007.00000002.3451324423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3451000317.0000000003211000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: `C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.config`_
Source: qemu-ga.exe, 00000007.00000002.3451324423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3451000317.0000000003211000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000000.2407230924.0000000000D84000.00000002.00000001.01000000.0000000E.sdmp, qemu-ga.exe.0.dr	Binary or memory string: FileDescriptionqemu-ga0
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeeL
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.configa7
Source: qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_ApphelpDebug_qemu-ga.exe_7768.txt P
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exex7
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000000.2407230924.0000000000D84000.00000002.00000001.01000000.0000000E.sdmp, qemu-ga.exe.0.dr	Binary or memory string: OriginalFilenameqemu-ga.exe0
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: driver.exe, 00000000.00000002.2426725873.0000000007292000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe_
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:UsersuserAppDataRoamingMicrosoftWindowsStart%20MenuProgramsStartupqemu-ga.exe.config!
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:a
Source: qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3448924285.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exC:P
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exeR(
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe.config
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe}2
Source: qemu-ga.exe, 00000007.00000002.3451324423.0000000003061000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3451000317.0000000003211000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exe.config
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: driver.exe, 00000000.00000002.2425509068.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2409925365.00000000007EA000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420402313.0000000004D80000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2409925365.00000000007A5000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2426725873.0000000007283000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2409925365.000000000076E000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3448198204.00000000010FA000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000000.2407186825.0000000000D82000.00000002.00000001.01000000.0000000E.sdmp, qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exe
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: `posoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ya
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3448198204.00000000010FA000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3450183788.00000000013A0000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3448639732.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3448201010.000000000131A000.00000004.00000010.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3448924285.00000000014B0000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3450587378.00000000017A0000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\LocalC:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qemu-ga.exe.log
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exeT
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/qemu-ga.exe.config
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000000.2407186825.0000000000D82000.00000002.00000001.01000000.0000000E.sdmp, qemu-ga.exe, 00000007.00000002.3448639732.00000000011D3000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000002.3452196414.00007FF8482D4000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3448924285.00000000014E2000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3451978363.00007FF8482C4000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe.0.dr	Binary or memory string: qemu-ga
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\qemu-ga.exe.log
Source: driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exea7-C
Source: driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: userAppDataRoamingMicrosoftWindowsStart%20MenuProgramsStartupqemu-ga.exe
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: driver.exe, 00000000.00000002.2425509068.00000000071A5000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2409925365.00000000007EA000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420402313.0000000004D80000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2426725873.0000000007283000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2409925365.000000000076E000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2420596958.0000000004E0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exeH
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cqYC:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe@\cq
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/qemu-ga.exee
Source: driver.exe, 00000000.00000002.2425509068.00000000071A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Registry\Machine\Software\Classes\Applications\qemu-ga.exe
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeh
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: driver.exe, 00000000.00000002.2410417036.0000000000821000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exee
Source: qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exef
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: driver.exe, 00000000.00000002.2409029084.0000000000410000.00000004.00000020.00040000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe\??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeen-GBenen-USMyApplication.app
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exen
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTa
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exea
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeW
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga0
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exee
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rtup\qemu-g
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/qemu-ga.exe
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /C:\Users\user\AppData\Roaming\Microsoft\Windows\Start%20Menu\Programs\Startup\qemu-ga.exeV
Source: qemu-ga.exe, 00000009.00000002.3448924285.000000000151E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.configX7
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.configE
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: driver.exe, 00000000.00000002.2425509068.00000000071A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Registry\Machine\Software\Classes\Applications\qemu-ga.exeows\Start Menu\Programs\Startup\qemu-ga.exe
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWinsta0\Defaultx7
Source: driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: qemu-ga.exeqemu-ga.exe
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeC
Source: driver.exe, 00000000.00000003.2378480001.0000000003C42000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeD
Source: driver.exe, 00000000.00000002.2420402313.0000000004D9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe8
Source: qemu-ga.exe, 00000007.00000002.3448639732.000000000116C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe/
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Windows\Temp\AslLog_ShimDebugLog_qemu-ga.exe_7768.txt l
Source: driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp, qemu-ga.exe, 00000007.00000000.2407186825.0000000000D82000.00000002.00000001.01000000.0000000E.sdmp, qemu-ga.exe.0.dr	Binary or memory string: <Module>qemu-gamscorlibThreadConsoleReadLineDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProductAttributeAssemblyCopyrightAttributeAssemblyCompanyAttributeRuntimeCompatibilityAttributeqemu-ga.exeSystem.ThreadingSystem.Runtime.VersioningProgramSystemMainSystem.ReflectionSleep.ctorSystem.DiagnosticsSystem.Runtime.InteropServicesSystem.Runtime.CompilerServicesDebuggingModesargsObject
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe'
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: qemu-ga.exe, 00000007.00000002.3448639732.0000000001160000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\Desktop\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeWinsta0\Defaulte
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.configg
Source: qemu-ga.exe, 00000009.00000002.3448924285.00000000014B8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exeRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\WindowsG7
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: qemu-ga.exe, 00000007.00000002.3448639732.00000000011E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe.configm
Source: driver.exe, 00000000.00000003.2378480001.00000000039D9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: driver.exe, 00000000.00000002.2425574180.00000000071C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe!
Source: driver.exe, 00000000.00000002.2410370549.0000000000815000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe}

Source: C:\Users\user\Desktop\driver.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00CD6818 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00CD6818

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00CE4000 VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,lstrlenW,CreateThread,Sleep,WaitForSingleObject,

0_2_00CE4000

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00CE4000 mov eax, dword ptr fs:[00000030h]

0_2_00CE4000

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00CDD9BC GetProcessHeap,

0_2_00CDD9BC

Source: C:\Users\user\Desktop\driver.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00CD6818 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CD6818
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00CD6974 SetUnhandledExceptionFilter,	0_2_00CD6974
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00CD638C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00CD638C
Source: C:\Users\user\Desktop\driver.exe	Code function: 0_2_00CDAB04 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00CDAB04

Source: C:\Users\user\Desktop\driver.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\driver.exe

Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

Jump to behavior

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00CD6A85 cpuid

0_2_00CD6A85

Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\driver.exe

Code function: 0_2_00CD66FF GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00CD66FF

Source: C:\Users\user\Desktop\driver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: driver.exe, 00000000.00000003.2337337059.0000000004E32000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\driver.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\driver.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\driver.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\Desktop\driver.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\Desktop\driver.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\Desktop\driver.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: driver.exe PID: 6428, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\atomic\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Binance\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\	Jump to behavior
Source: C:\Users\user\Desktop\driver.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\	Jump to behavior

Source: Yara match	File source: 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: driver.exe PID: 6428, type: MEMORYSTR

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: driver.exe PID: 6428, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	221 Windows Management Instrumentation	12 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	12 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	451 Security Software Discovery	Remote Desktop Protocol	2 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	241 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	241 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	124 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
driver.exe	100%	Avira	HEUR/AGEN.1317595
driver.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	42%	ReversingLabs	ByteCode-MSIL.Spyware.RedLine

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://purl.oen	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
http://www.w3.o	0%	URL Reputation	safe
http://tempuri.org/RestAPI/TreeObject2Response	0%	Avira URL Cloud	safe
http://tempuri.org/RestAPI/TreeObject1	0%	Avira URL Cloud	safe
http://tempuri.org/RestAPI/TreeObject3	0%	Avira URL Cloud	safe
http://purl.oenM	0%	Avira URL Cloud	safe
http://tempuri.org/	0%	Avira URL Cloud	safe
http://tempuri.org/RestAPI/TreeObject2	0%	Avira URL Cloud	safe
http://tempuri.org/RestAPI/TreeObject3Response	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
http://tempuri.org/RestAPI/TreeObject3ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/RestAPI/TreeObject2ResponseD	0%	Avira URL Cloud	safe
http://tempuri.org/D	0%	Avira URL Cloud	safe
http://tempuri.org/RestAPI/TreeObject1Response	0%	Avira URL Cloud	safe
http://tempuri.org/RestAPI/TreeObject1ResponseD	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.211.108	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/sc/sct	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/TreeObject2Response	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://purl.oenM	driver.exe, 00000000.00000003.2334217727.0000000007991000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://purl.oen	driver.exe, 00000000.00000003.2407882204.00000000079A0000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2427041116.00000000079A2000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2407781130.00000000079A0000.00000004.00000020.00020000.00000000.sdmp, driver.exe, 00000000.00000003.2408090789.00000000079A1000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/TreeObject2	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/RestAPI/TreeObject1	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v9/users/	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat/fault	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/TreeObject3	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/10/wsat	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ip.sb/ip	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://tempuri.org/RestAPI/TreeObject3Response	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/04/sc	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/TreeObject3ResponseD	driver.exe, 00000000.00000002.2412813228.000000000291A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://tempuri.org/RestAPI/TreeObject2ResponseD	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/02/trust/Renew	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/soap/envelope/	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabS	driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/D	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2004/06/addressingex	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/fault	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/TreeObject1ResponseD	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.w3.o	driver.exe, 00000000.00000002.2412813228.000000000287B000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	driver.exe, 00000000.00000002.2412813228.0000000002AFB000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002AF4000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2417557179.000000000369D000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002C13000.00000004.00000800.00020000.00000000.sdmp	false		high
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous	driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tempuri.org/RestAPI/TreeObject1Response	driver.exe, 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, driver.exe, 00000000.00000002.2412813228.0000000002671000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.15.156.127	unknown	Russian Federation		39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1398936
Start date and time:	2024-02-26 17:39:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	driver.exe
Detection:	MAL
Classification:	mal100.troj.adwa.spyw.evad.winEXE@6/2@0/1
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 159 Number of non-executed functions: 23
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.151.69, 20.190.151.6, 20.190.151.9, 20.190.151.131, 20.190.151.70, 20.190.151.132, 20.190.151.7, 20.190.151.67
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, ocsp.edge.digicert.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Execution Graph export aborted for target qemu-ga.exe, PID 7768 because it is empty
Execution Graph export aborted for target qemu-ga.exe, PID 7864 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: driver.exe

Simulations

Behavior and APIs

Time	Type	Description
17:40:28	API Interceptor	1x Sleep call for process: OpenWith.exe modified
17:40:44	API Interceptor	34x Sleep call for process: driver.exe modified
17:40:49	API Interceptor	1630241x Sleep call for process: qemu-ga.exe modified
17:40:50	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
45.15.156.127	Eclipse.exe	Get hash	malicious	AsyncRAT, PureLog Stealer, RHADAMANTHYS, RedLine, XWorm, zgRAT	Browse
	7bXVSwc9dp.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse
	SecuriteInfo.com.Trojan.Agent.446.6903.exe	Get hash	malicious	RedLine	Browse
	axfdj9gfw.exe	Get hash	malicious	RedLine	Browse
	last.exe	Get hash	malicious	RedLine, Xmrig	Browse
	edgag365.exe	Get hash	malicious	RedLine	Browse
	Shxdow.exe	Get hash	malicious	RedLine	Browse
	GLP3Q0PFY4.exe	Get hash	malicious	RedLine	Browse
	07CKY9gp1H.exe	Get hash	malicious	RedLine	Browse
	8as7BA35XQ.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://airtable.com/appAK4wK4Am1QKNCt/shrOYz2pP4nnx6T2x	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://acrobat.adobe.com/id/urn:aaid:sc:eu:cdb63725-2cb7-4cbc-988d-c28b730d2437	Get hash	malicious	Unknown	Browse	192.229.211.108
	CEVA Logistics_Invoice_012024_511304_4880357445.js	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://wilsoyeast.uk/dq.PDF	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:f1c05e94-5d89-4e6a-985f-81ce98d8c477	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://ir.shareaholic.com/e?a=1&u=https://okt.college/hum3Tm3TQ3Er-4GQ3E8Kvkl-Ql4RA-4GQ3Erm3Ty--4Gank-d58Kvo-y5%3Futm_campaign%3Dshareaholic%26utm_medium%3Dtwitter%26utm_source%3Dsocialnetwork&r=1	Get hash	malicious	HTMLPhisher	Browse	192.229.211.108
	https://emlmkt.com/url/ver/551960127/2552870/f270b5482f31f088fa3129e0b7ea965f	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://panel.statisticsong.com/scripts/l.js	Get hash	malicious	Unknown	Browse	192.229.211.108
	http://0nlinemmbiyeywhsskd0gotuhqhssbcvposgsai0dsolflktue2.tryuimbghiop.online/	Get hash	malicious	Unknown	Browse	192.229.211.108
	https://0nlinemmbiyeywhsskd0gotuhqhssbcvposgsai0dsolflktue2.tryuimbghiop.online	Get hash	malicious	Unknown	Browse	192.229.211.108

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	SKHOtnHl7J.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	5.42.64.33
	TiFfbUw37Q.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	5.42.64.33
	SecuriteInfo.com.Win32.Evo-gen.4170.5614.exe	Get hash	malicious	RedLine	Browse	5.42.65.31
	SecuriteInfo.com.Win32.Evo-gen.10735.2229.exe	Get hash	malicious	RedLine	Browse	5.42.65.31
	file.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	5.42.65.31
	cJVeMuYr6y.exe	Get hash	malicious	lgoogLoader	Browse	5.42.81.57
	cJVeMuYr6y.exe	Get hash	malicious	Unknown	Browse	5.42.81.57
	1AIemYSAZy.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	5.42.64.33
	ENEDGCErLu.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc, SystemBC	Browse	5.42.64.33
	OShRqF6jNV.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, SystemBC, Xmrig	Browse	5.42.64.33

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe	SecuriteInfo.com.Win32.Evo-gen.4170.5614.exe	Get hash	malicious	RedLine	Browse
	SecuriteInfo.com.Win32.Evo-gen.10735.2229.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse
	YAM84MI3ou.exe	Get hash	malicious	RedLine	Browse
	0fE3AfIqxF.exe	Get hash	malicious	RedLine	Browse
	SecuriteInfo.com.Win32.Evo-gen.10846.18749.exe	Get hash	malicious	RedLine	Browse
	WuZJHJZvzy.exe	Get hash	malicious	RedLine	Browse
	EkYcr5WbJD.exe	Get hash	malicious	RedLine	Browse
	hkXE3abs6j.exe	Get hash	malicious	GCleaner, RedLine	Browse
	AnpqcEjSU2.exe	Get hash	malicious	RedLine	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	2545
Entropy (8bit):	5.330114603578639
Encrypted:	false
SSDEEP:	48:MxHKlYHKh3oOfHKdHKJHKhBHK5AHKzetTHmtHo6nmHKtXoDHsLHG1qHjHKdHDJHH:iqlYqh3oSqdqJqLq2qzIGtI6mqcMLmwk
MD5:	6B8A9491B0EBD810D2A1482CFFB86B22
SHA1:	B9D518F94CE95DE1D2B13D3CE3BFCB290AE5231D
SHA-256:	48112D017B7D3E691E0450845703EADDB109B2BB216852FC1EF7822F81710997
SHA-512:	0E109AAD4F8641722DCCA97361C95D4E3F174DCE102E6E1E3E99EC9358CEEEA442C111870A2992405F4B074CEA9A51F1E195C9FE77316009458488C46158D3DE
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runteb92aa12#\a3127677749631df61e96a8400ddcb87\System.Runtime.Serialization.ni.dll",0..2,"SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicK

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Download File

Process:	C:\Users\user\Desktop\driver.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	3.790557976647158
Encrypted:	false
SSDEEP:	48:68kM4rRDxNMk+wwnikZsFtRvlm4MI9BFipfbNtm:8vVDB+wwn0/MvzNt
MD5:	A5CE3ABA68BDB438E98B1D0C70A3D95C
SHA1:	013F5AA9057BF0B3C0C24824DE9D075434501354
SHA-256:	9B860BE98A046EA97A7F67B006E0B1BC9AB7731DD2A0F3A9FD3D710F6C43278A
SHA-512:	7446F1256873B51A59B9D2D3498CEF5A41DBCE55864C2A5FB8CB7D25F7D6E6D8EA249D551A45B75D99B1AD0D6FB4B5E4544E5CA77BCD627717D6598B5F566A79
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 42%
Joe Sandbox View:	Filename: SecuriteInfo.com.Win32.Evo-gen.4170.5614.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.10735.2229.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: YAM84MI3ou.exe, Detection: malicious, Browse Filename: 0fE3AfIqxF.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.10846.18749.exe, Detection: malicious, Browse Filename: WuZJHJZvzy.exe, Detection: malicious, Browse Filename: EkYcr5WbJD.exe, Detection: malicious, Browse Filename: hkXE3abs6j.exe, Detection: malicious, Browse Filename: AnpqcEjSU2.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....\..........."...0.............b&... ...@....@.. ....................................@..................................&..O....@.......................`.......%............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D&......H.......l ..............................................................J ....(....(....&+...(....*.BSJB............v4.0.30319......l.......#~..0...`...#Strings............#US.........#GUID...........#Blob...........G..........3......................................................%...l.%...3.....E.....[.................S...........8.....r.....G.................Y...........".........................=.....P ........,...c ................T...................).....1.....9.....A.

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.035054547291601
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	driver.exe
File size:	748'032 bytes
MD5:	80b60930bd4a6f65f57f3a2f40ccc6f7
SHA1:	6e051562e7a4288bce0c1c8c86ac377d39be9bbd
SHA256:	c2a05b1464bf42096ffe1740fa927abfbb513ded47ead9b2133c28ce834363c3
SHA512:	2b8c20c3637be71f09e5de47936be1b67e7c508d816e52b2efe3a2d3333c428afa5a6981c1682babd91f01ce781e4853d0281b5c59d7ab1bb91ae190d26ef323
SSDEEP:	12288:0SmCQdf7HGvi3PLo7JwtEDa6mZr6yeHPGK:eCkfEouyeHPt
TLSH:	76F44C90F3BDFCA7E7B01C386714C2F00B6825365F0365558FBCCD1A2AB96D26A9C694
File Content Preview:	MZ......................@.......................................frAQBc8Wsa1xVPfvJcrgRYwTiizs2trQF69AzBlax3CF3EDNhm3soLBPh71Yexui...F..w...{m..F.....w..S...X.....T,.H.....f....j...um\......=....<jxhTBy.O,/gnVwa.%....0........).s".J<N6kzMCk8R6BEuZMrF6cI6NX8

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x406382
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	a21650c57698ef4533106810c8da6639

Entrypoint Preview

Instruction
call 00007EFE38FD61DAh
jmp 00007EFE38FD5C89h
push ebp
mov ebp, esp
push 00000000h
call dword ptr [00421048h]
push dword ptr [ebp+08h]
call dword ptr [00421044h]
push C0000409h
call dword ptr [0042104Ch]
push eax
call dword ptr [00421050h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [00421054h]
test eax, eax
je 00007EFE38FD5E17h
push 00000002h
pop ecx
int 29h
mov dword ptr [004B8A38h], eax
mov dword ptr [004B8A34h], ecx
mov dword ptr [004B8A30h], edx
mov dword ptr [004B8A2Ch], ebx
mov dword ptr [004B8A28h], esi
mov dword ptr [004B8A24h], edi
mov word ptr [004B8A50h], ss
mov word ptr [004B8A44h], cs
mov word ptr [004B8A20h], ds
mov word ptr [004B8A1Ch], es
mov word ptr [004B8A18h], fs
mov word ptr [004B8A14h], gs
pushfd
pop dword ptr [004B8A48h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004B8A3Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004B8A40h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004B8A4Ch], eax
mov eax, dword ptr [ebp-00000324h]
mov dword ptr [004B8988h], 00010001h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb6c54	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xba000	0x10a0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb6100	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb6040	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x21000	0x14c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12023	0x12200	352c47da7273a001442e01784d9bd628	False	0.4741783405172414	data	6.3300444213861535	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.tls	0x14000	0x65c8	0x6600	55889cba4a28039ce66df8c330a042e2	False	0.23291973039215685	data	4.928806068453824	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.xobzu	0x1b000	0x5ddf	0x5e00	2a6a0cf7bd5456e4e7fcdc38a913055a	False	0.140625	data	4.557349240823254	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x21000	0x963aa	0x96400	81d2895ebe2ae69c7a4d26adfcea68cd	False	0.4017214148294509	data	5.630981443676346	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb8000	0x1368	0xa00	4fd446124ed58c45f934ef8cc5c1223d	False	0.153125	data	2.03597021259716	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0xba000	0x10a0	0x1200	f2425546bb50884a92fdcb9e610f32b7	False	0.7354600694444444	data	6.3279447334946175	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL

Import

GDI32.dll

GetStockObject, DeleteObject, SetBkMode, SetTextColor, CreateFontIndirectA, SelectObject, GetObjectA

KERNEL32.dll

VirtualProtect, VirtualAlloc, LoadLibraryA, GetProcAddress, lstrlenW, CreateThread, Sleep, WaitForSingleObject, FreeConsole, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, WriteConsoleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, EncodePointer, RaiseException, GetStdHandle, WriteFile, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetFileType, GetStringTypeW, CompareStringW, LCMapStringW, GetProcessHeap, HeapSize, HeapReAlloc, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, SetFilePointerEx, CreateFileW, CloseHandle, DecodePointer

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/26/24-17:40:39.270866	TCP	2046045	ET TROJAN [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)	49736	23000	192.168.2.5	45.15.156.127
02/26/24-17:40:40.476023	TCP	2046056	ET TROJAN Redline Stealer/MetaStealer Family Activity (Response)	23000	49736	45.15.156.127	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 26, 2024 17:40:37.874382973 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:38.091934919 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:38.092047930 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:38.273449898 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:38.491691113 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:38.543317080 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:39.270865917 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:39.489408970 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:39.542994022 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:40.256382942 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:40.476022959 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:40.476047039 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:40.476062059 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:40.476077080 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:40.476092100 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:40.476114035 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:40.476126909 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:40.476139069 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:40.476150990 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:40.476161003 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:40.476161003 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:40.476166010 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:40.476211071 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:40.476211071 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:40.694051981 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:40.746184111 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.110565901 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.328197002 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.328284025 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.328483105 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.328828096 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.545799017 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.545907974 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.546412945 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.546422005 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.546494007 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.546588898 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.546597004 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.546663046 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.546895027 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.546952009 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.546972990 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.763520956 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.763626099 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.764101028 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.764214993 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.764389038 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.764446974 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.764491081 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.764529943 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.764539003 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.764554024 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.764780045 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.764825106 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.764969110 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.981534958 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.981566906 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.981601000 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.981618881 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.981646061 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.981798887 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983005047 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983022928 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983037949 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983053923 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983072996 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983153105 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983298063 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983314991 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983469009 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.983511925 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983541965 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:48.983808994 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983825922 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983841896 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983858109 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.983931065 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.984288931 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.984307051 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:48.984366894 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.199841976 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.200119972 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.200222015 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.200970888 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.201138020 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.201154947 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.201354027 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.201484919 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.201710939 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.201987028 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.201996088 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.202043056 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.202094078 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.202172041 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.202243090 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.202312946 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.202456951 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.202893972 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.202975035 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.203016996 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.203270912 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.203345060 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.424539089 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.424730062 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.424746990 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.425595999 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.425602913 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.425610065 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.425857067 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.425859928 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.425968885 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.428220987 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428229094 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428252935 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428261042 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428270102 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428277969 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428284883 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428292036 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428307056 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428314924 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428328991 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428335905 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428344011 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428350925 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428358078 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428373098 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.428704977 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.428797007 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.647353888 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.647512913 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.647622108 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.647854090 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.647869110 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.648196936 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.648412943 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.648632050 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.648740053 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.649164915 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.649177074 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.649446964 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.649596930 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.649799109 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.649811029 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.650027037 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.650038958 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.650108099 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.650149107 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.650218010 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.650544882 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.650608063 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.866553068 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.867522955 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.868108034 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.868278980 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.868400097 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.868419886 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.868484020 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.868619919 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.868725061 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.868742943 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.868758917 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.868942976 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.868988991 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.869123936 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.869142056 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.869182110 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.869255066 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.869524002 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:49.869728088 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.869745016 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.869867086 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.869947910 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.870007992 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.870045900 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.870063066 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.870296001 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.870554924 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.870573044 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.870856047 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.870959997 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.871018887 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.871037006 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.871135950 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.871153116 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.871227980 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.871285915 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.871462107 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:49.871524096 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.094588041 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.094608068 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.094624996 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.094660044 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.094676018 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.094707012 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.094722986 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.094754934 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.094772100 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.094788074 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.094804049 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.094985008 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.095103025 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.095120907 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.095154047 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.095170021 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.127724886 CET	23000	49736	45.15.156.127	192.168.2.5
Feb 26, 2024 17:40:50.167989969 CET	49736	23000	192.168.2.5	45.15.156.127
Feb 26, 2024 17:40:50.549331903 CET	49736	23000	192.168.2.5	45.15.156.127

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Feb 26, 2024 17:40:27.405819893 CET	1.1.1.1	192.168.2.5	0x2e55	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Feb 26, 2024 17:40:27.405819893 CET	1.1.1.1	192.168.2.5	0x2e55	No error (0)	fp2e7a.wpc.phicdn.net		192.229.211.108	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	17:40:28
Start date:	26/02/2024
Path:	C:\Users\user\Desktop\driver.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\driver.exe
Imagebase:	0xcd0000
File size:	748'032 bytes
MD5 hash:	80B60930BD4A6F65F57F3A2F40CCC6F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.2412813228.00000000026D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:40:28
Start date:	26/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:40:28
Start date:	26/02/2024
Path:	C:\Windows\System32\OpenWith.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\OpenWith.exe -Embedding
Imagebase:	0x7ff60c200000
File size:	123'984 bytes
MD5 hash:	E4A834784FA08C17D47A1E72429C5109
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:40:49
Start date:	26/02/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
Imagebase:	0xd80000
File size:	4'608 bytes
MD5 hash:	A5CE3ABA68BDB438E98B1D0C70A3D95C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 42%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	17:40:58
Start date:	26/02/2024
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
Imagebase:	0xfd0000
File size:	4'608 bytes
MD5 hash:	A5CE3ABA68BDB438E98B1D0C70A3D95C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report driver.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
driver.exe